Table Of ContentExpert Oracle and
Java Security
Programming Secure Oracle Database
Applications with Java
mmm
David Coffin
Apress
Contents
J
AbouttheAuthor xxii
Aboutthe Technical Reviewer xxiii
Acknowledgments xxiv
Introduction xxv
Chapter 1: Introduction 1
Requirements 1
ForWindowsand UNIX/Linux Users 1
Background 2
How to UseThis Book 2
Organization ofThis Book 3
JavaObjectsand Oracle Database Structures 3
ChapterReview 3
.
Chapter 2: Oracle Database Security 5
FindingaTest Oracle Database 5
Working from an ExistingOracle Database 5
Oracle Users and Schemas 6
SQL*Plus, SQL Developer,JDeveloper,orTOAD 7
Organizationofthe Next FewSections 7
Working asthe SYS User 7
System Privileges 8
CONTENTS
Roles 8
SecurityAdministratorUser 11
SecurityAdministratorRole 12
The AuditTrail 14
The DataDictionary 15
Working as theSecurity Administrator 15
Acquiresecadm_role fromaSQL*PlusLocalConnection 16
Toggle BetweenRoles 16
CreateanApplication SecurityUser 17
•
CreateanApplication User 18
CreatetheHRView Role 18
Audit Changesto SecurityAdministratorProcedures 20
AuditFailed AttemptstoAccessHR Data 20
Working asthe HRSchemaUser 21
SensitiveDataintheHR SampleSchema 21
PublicViewofEmployees 22
SensitiveViewofEMPLOYEES 22
TestApplication User Access 23
AuditTrail Logs for theSensitiveView 24
Regarding Synonyms 24
Chapter Review 25
Chapter 3: Secure Java DevelopmentConcepts 27
JavaDevelopmentKit 27
OracleJavaDatabase Connectivity 27
JARFile Directory Separator 28
JavaPackages 28
Development atCommand Prompt 28
CONTENTS
Environment 28
BeginningJavaSyntax 30
ByteCode CompilationandtheJavavirtual Machine 31
JavaCodeand Syntax Concepts 33
Methods 34
Values 34
Members 35
Objects 36
Classes and Null 36
GarbageCollection 37
Primitives 37
Strings 37
Static ModifierandthemainOMethod 38
PublicandPrivateModifiers 39
Exceptions 40
ExceptionHandlingSyntax 40
ExceptionHandlingApproaches 47
JavaVirtual Machine Sandbox 49
ChapterReview 50
Chapter4:JavaStored Procedures 51
JavaStored Procedure Example 51
AcquiringthePrivilegetoLoadaJavaStoredProcedure 53
LoadingJavaintheOracleDatabase 53
HandlingExceptions inaJavaStoredProcedure 53
CallingOracle DatabasefromJava 55
Method Syntax in JavaStored Procedures 57
CallingJavafromOracleDatabase 57
InstallingandTestingtheExample Code 58
vii
* CONTENTS
ReviewTheRosterof Participants 59
Cleaning Up 60
The Oracle JavaVirtual Machine 60
OracleJVM Based onJavaSE1.5 60
ASeparateJVM for EachOracleSession 61
OracleJVMSandbox 61
Auto-CommitDisabledintheOracleJVM 61
ChapterReview 62
Chapter5: Public Key Encryption 63
GenerateKeysontheClient 63
RSAPublicKey Cryptography 64
JavaCodetoGenerate and Use RSAKeys 64
Creatinga SetofKeys 64
Hand thePublicKeyAcrosstheNetwork 65
SerializeObjects 66
BuildingthePublic KeyfromArtifacts 66
Generating theRSA Cipher 67
Usingthe RSA Cipher 68
Getting RSAPublicKeyArtifacts 70
UsingStaticMethodsandPrivateConstructor 71
InstantiatingaConnectionMemberfromaStatic Initializer 71
UsingOne CodeforBothClientandServer 72
Testingonthe Client 73
Writing themainOMethod 73
RunningtheCode 74
Key Exchange 75
Creatinga FunctiontoEncryptDatawithPublicKey 75
CreatingaProceduretogetSYSDATE inEncrypted Form 76
viii
*CONTENTS
Loading OracleJavaSecureJavaintoOracleDatabase 78
EncryptingDatawithPublicKey 78
UseStacked Calls 79
Decrypting DatawithPrivateKey 79
Testing on Client and Server 80
UsingIN andOUT ParametersinanOracleCallableStatement 80
Handle ErrorsReportedbyOracleDatabase 81
DecryptingattheClient 82
RunningOurCodeAgain 82
Observing theResults 82
Removingthe DemonstrationOracleStructures 83
Chapter Review 84
Chapter 6: SecretPassword Encryption 85
Approach 85
JavaCodefor Secret Password Encryption 86
Sharing theArtifactsofaSecret Password Key 86
Initializing StaticClassMembers 87
EvaluatingtheJava1.5 Password-Based EncryptionBug 88
Coding anAutomaticUpgrade: NegotiatedAlgorithm 88
GeneratingthePassword Key 88
EncryptingwiththePublicRSAKey 89
ReturningSecret PasswordKeyArtifacts totheClient 90
Encrypting DatawithOurSecret Password 92
Oracle Structures for Secret PasswordEncryption 93
Packageto GetSecret PasswordArtifactsandEncrypted Data 93
ApplicationSecurityPackage Specification 93
ApplicationSecurityPackage Body:Functions 95
ApplicationSecurityPackage Body:Procedures 95
ix
CONTENTS
Java Methods for SecretPassword Decryption 97
Decrypting DataUsingtheSecretPasswordKey 97
DecryptingtheDES Passphraseusing RSAPrivateKey 98
Ancillary MethodsforArrayConversion 99
MethodUsedto ShowActualAlgorithm 100
Testing DES Encryption on the Client Only 100
RunningtheCode 102
ObservingtheResults 102
Coding toTest Client/ServerSecretPassword Encryption 102
SettingtheCodetoTestServeraswellasClient 102
ConsidertheServerPortionofthemainOMethod 103
GettingtheDES SecretPasswordfromOracle 103
Seeing theNegotiatedAlgorithmforPassword-BasedEncryption 104
CallingOracleDatabaseto getEncryptedData 105
TestingOracleDatabaseEncryptandLocal Decrypt Data 106
SendingEncryptedDatatoOracle 107
Testing Our Secure Client/ServerData Transmission 107
ChapterReview 108
Chapter7: Data Encryption in Transit 111
Security AdministratorActivities 111
GrantingMoreSystemPrivilegestotheApplicationSecurityUser 112
PermittingUsersto Execute PackagesinOtherSchemas 112
Application Security User Activities 112
CreatingaTableforErrorLogging 113
CreatingaTableforManaging Our ErrorLog Table 114
CreatinganErrorLog ManagementProcedure 115
CreatingaTriggerto MaintaintheErrorLogTable 116
TestingtheTrigger 117
x
CONTENTS
Updating theApplication Security Package 117
CreatinganErrorLogging Procedure 118
ExecutingPackage SpecificationandBody 118
Methodsfor Using and Testing Encryption in Transit 119
MethodtoBuildtheSecretPassword Key 119
TemporaryMethodto ResetAllKeys 120
Loading Updated OracleJavaSecure ClassintoOracle 121
Security Structuresforthe HR User 121
ExploringPrivilegesThatEnable HR Tasks 121
CreatingtheHR SecurityPackage 122
SelectingSensitiveDataColumnsfromEMPLOYEES 122
SelectingAllDataasaSingleSensitiveString 124
SelectingSensitiveDataforanEmployeeID 125
RevisingProcedure to GetSharedPassphrase 125
UpdatingSensitiveDataColumnsin EMPLOYEES 125
AvoidingSQL Injection 129
DemonstratingFailureto SQLInject inStored Procedure 130
ExecutingtheHR PackageSpecificationandBody 131
Inserting an EMPLOYEES Record:Update a Sequence 131
Demonstrations andTests ofEncrypted Data Exchange 133
SomePreliminarySteps 133
SelectingEncryptedDatafromEMPLOYEES 135
SelectingAll Columns inEncrypted String 137
SendingEncrypted Datato OracleDatabaseforInsert/Update 138
Selectinga SingleRowfromEMPLOYEES 139
SelectingEMPLOYEES DatabyLastName:TrySQL Injection 139
SelectingEMPLOYEES DatabyRAW: TrySQL Injection 140
TestingEncryptionFailurewithNew Client Keys 140
CONTENTS
TestingFailurewithNewOracleConnection 141
SomeClosingRemarks 141
Executing theDemonstrationsand Tests 142
ObservingtheResults 142
DemonstratingScenarios 143
QueryingEmployeestoSee Updates 144
Packaging Template to Implement Encryption 144
TemplateforOracleApplicationSecurityStructures 144
TemplateforJavaCallstoApplicationSecurity 145
JavaArchivefor Use byApplications 145
Don'tStop Now 145
ChapterReview 146
n Chapter 8: Single Sign-On 149
Another Layer ofAuthentication? 149
Who Is Logged-ln on theClient? 150
FindaBetterSourceofOS UserIdentity 150
UseNTSystemorUnixSystemtoGetIdentity 150
Do Cross-Platform-Specific Coding withReflection 151
Assure MoreStringentOSIdentity 152
Access Oracle Databaseas Our Identified User 154
ExaminetheOracleSSO OptionsforProgrammers 154
SetaClientIdentifier 155
Prepare toAccessHR Data 155
Update p_check_hrview_accessProcedure, Non-Proxy Sessions 156
AssureClientIdentifierandOSJJSER 157
AuditActivitywithClientIdentifierSet 157
xii
* CONTENTS
Proxy Sessions 158
CreateIndividualPerson UsersinOracle 158
Proxyfrom UsersIDENTIFIEDEXTERNALLY 159
Establisha ProxySession 159
Update p_check_hrview_accessProcedure, ProxySessions 161
AuditProxySessions 161
Using Connection Pools 162
ProxyConnections fromanOCIConnectionPool 162
ProxySessionsfromaThinClientConnectionPool 166
UniversalConnectionPool 169
Application Use ofOracleSSO 171
OurExample ApplicationOracleSSO 172
UpdatestoOracleJavaSecure 173
A CodeTemplatetoGiveDevelopers 175
Chapter Review 175
Chapter9:Two-FactorAuthentication 177
GetOracle DatabasetoSend E-Mail 178
Installing UTLJWAIL 178
GrantingAccesstoUTL_MAIL 179
TestingSending E-Mail 180
Getting Oracle Databaseto Browse Web Pages 181
DelegatingJavaPolicytoSecurityAdministrator 181
PermittingApplicationSecurityUsertoReadWeb Pages 182
The Two-FactorAuthentication Process 183
Security Considerationsfor Two-Factor Distribution Avenues 183
SecurityIssueswithTwo-FactorDeliveryto E-Mail 183
SecurityIssueswithTwo-FactorDeliveryto Pagers 184
xiii
Description:Expert Oracle and. Java Security. Programming Secure Oracle Database. Applications with Java mmm. David Coffin. Apress
