Databases Reference
In-Depth Information
EXECUTE DBMS_JAVA.GRANT_PERMISSION(
'<USERNAME>',
'SYS:java.net.SocketPermission',
'<host>:<port>',
'connect,resolve');
From a security standpoint, callouts can be dangerous but less so than
incoming requests. Security issues occur if an attacker can spoof a service on
which you rely. However, this is not a common scenario, and you can
resolve such issues through mutual authentication, where the server imple-
menting the Web service needs to authenticate itself to you in addition to
you authenticating with the Web service provider. Alternatively, you can
address spoofing by demanding that all Web services interaction occur only
over SSL with valid certificates.
7.4.4
Web services security
Web services in the database landscape are fairly new, and there is little
experience with these gateways and their potential vulnerabilities. However,
common sense suggests that any such “pipe” has inherent problems. In
addition, vulnerabilities are often caused by the stored procedures them-
selves, which may not validate their input or which can be misused by an
attacker. Therefore, one additional suggestion is that if you are going to
start enabling Web services, you should understand the calling and security
models and enable them one procedure at a time using a review/test/inspec-
tion process to ensure that you are not putting the database at risk.
If you are going to start exposing internal database procedures and con-
structs as Web services (and wish to do so securely), you have no choice but
to start understanding a large set of buzzwords and acronyms. Some of
these will be implemented outside of the database by Web services gateways
or security products that deal with Web services and in which your com-
pany may already be investing. With time, some of these features may be
implemented natively within the database (one such example is the use of
WS-Security tokens within SQL Server 2005). The Web services security
blueprint is complex and still evolving. Figure 7.4 shows you a starting
framework, including the Simple Object Access Protocol (SOAP) layer and
the most important layer in terms of security: WS-Security.
WS-Security describes how to attach signature and encryption headers
to SOAP messages. It describes enhancements to SOAP messaging to pro-
vide quality of protection through message integrity and message confiden-
tiality. The specification also defines a general-purpose mechanism for
Search WWH ::
Custom Search