Expert Oracle and Java Security Programming Secure Oracle Database Applications with Java mmm David Coffin Apress Contents J AbouttheAuthor xxii Aboutthe Technical Reviewer xxiii Acknowledgments xxiv Introduction xxv Chapter 1: Introduction 1 Requirements 1 ForWindowsand UNIX/Linux Users 1 Background 2 How to UseThis Book 2 Organization ofThis Book 3 JavaObjectsand Oracle Database Structures 3 ChapterReview 3 . Chapter 2: Oracle Database Security 5 FindingaTest Oracle Database 5 Working from an ExistingOracle Database 5 Oracle Users and Schemas 6 SQL*Plus, SQL Developer,JDeveloper,orTOAD 7 Organizationofthe Next FewSections 7 Working asthe SYS User 7 System Privileges 8 CONTENTS Roles 8 SecurityAdministratorUser 11 SecurityAdministratorRole 12 The AuditTrail 14 The DataDictionary 15 Working as theSecurity Administrator 15 Acquiresecadm_role fromaSQL*PlusLocalConnection 16 Toggle BetweenRoles 16 CreateanApplication SecurityUser 17 • CreateanApplication User 18 CreatetheHRView Role 18 Audit Changesto SecurityAdministratorProcedures 20 AuditFailed AttemptstoAccessHR Data 20 Working asthe HRSchemaUser 21 SensitiveDataintheHR SampleSchema 21 PublicViewofEmployees 22 SensitiveViewofEMPLOYEES 22 TestApplication User Access 23 AuditTrail Logs for theSensitiveView 24 Regarding Synonyms 24 Chapter Review 25 Chapter 3: Secure Java DevelopmentConcepts 27 JavaDevelopmentKit 27 OracleJavaDatabase Connectivity 27 JARFile Directory Separator 28 JavaPackages 28 Development atCommand Prompt 28 CONTENTS Environment 28 BeginningJavaSyntax 30 ByteCode CompilationandtheJavavirtual Machine 31 JavaCodeand Syntax Concepts 33 Methods 34 Values 34 Members 35 Objects 36 Classes and Null 36 GarbageCollection 37 Primitives 37 Strings 37 Static ModifierandthemainOMethod 38 PublicandPrivateModifiers 39 Exceptions 40 ExceptionHandlingSyntax 40 ExceptionHandlingApproaches 47 JavaVirtual Machine Sandbox 49 ChapterReview 50 Chapter4:JavaStored Procedures 51 JavaStored Procedure Example 51 AcquiringthePrivilegetoLoadaJavaStoredProcedure 53 LoadingJavaintheOracleDatabase 53 HandlingExceptions inaJavaStoredProcedure 53 CallingOracle DatabasefromJava 55 Method Syntax in JavaStored Procedures 57 CallingJavafromOracleDatabase 57 InstallingandTestingtheExample Code 58 vii * CONTENTS ReviewTheRosterof Participants 59 Cleaning Up 60 The Oracle JavaVirtual Machine 60 OracleJVM Based onJavaSE1.5 60 ASeparateJVM for EachOracleSession 61 OracleJVMSandbox 61 Auto-CommitDisabledintheOracleJVM 61 ChapterReview 62 Chapter5: Public Key Encryption 63 GenerateKeysontheClient 63 RSAPublicKey Cryptography 64 JavaCodetoGenerate and Use RSAKeys 64 Creatinga SetofKeys 64 Hand thePublicKeyAcrosstheNetwork 65 SerializeObjects 66 BuildingthePublic KeyfromArtifacts 66 Generating theRSA Cipher 67 Usingthe RSA Cipher 68 Getting RSAPublicKeyArtifacts 70 UsingStaticMethodsandPrivateConstructor 71 InstantiatingaConnectionMemberfromaStatic Initializer 71 UsingOne CodeforBothClientandServer 72 Testingonthe Client 73 Writing themainOMethod 73 RunningtheCode 74 Key Exchange 75 Creatinga FunctiontoEncryptDatawithPublicKey 75 CreatingaProceduretogetSYSDATE inEncrypted Form 76 viii *CONTENTS Loading OracleJavaSecureJavaintoOracleDatabase 78 EncryptingDatawithPublicKey 78 UseStacked Calls 79 Decrypting DatawithPrivateKey 79 Testing on Client and Server 80 UsingIN andOUT ParametersinanOracleCallableStatement 80 Handle ErrorsReportedbyOracleDatabase 81 DecryptingattheClient 82 RunningOurCodeAgain 82 Observing theResults 82 Removingthe DemonstrationOracleStructures 83 Chapter Review 84 Chapter 6: SecretPassword Encryption 85 Approach 85 JavaCodefor Secret Password Encryption 86 Sharing theArtifactsofaSecret Password Key 86 Initializing StaticClassMembers 87 EvaluatingtheJava1.5 Password-Based EncryptionBug 88 Coding anAutomaticUpgrade: NegotiatedAlgorithm 88 GeneratingthePassword Key 88 EncryptingwiththePublicRSAKey 89 ReturningSecret PasswordKeyArtifacts totheClient 90 Encrypting DatawithOurSecret Password 92 Oracle Structures for Secret PasswordEncryption 93 Packageto GetSecret PasswordArtifactsandEncrypted Data 93 ApplicationSecurityPackage Specification 93 ApplicationSecurityPackage Body:Functions 95 ApplicationSecurityPackage Body:Procedures 95 ix CONTENTS Java Methods for SecretPassword Decryption 97 Decrypting DataUsingtheSecretPasswordKey 97 DecryptingtheDES Passphraseusing RSAPrivateKey 98 Ancillary MethodsforArrayConversion 99 MethodUsedto ShowActualAlgorithm 100 Testing DES Encryption on the Client Only 100 RunningtheCode 102 ObservingtheResults 102 Coding toTest Client/ServerSecretPassword Encryption 102 SettingtheCodetoTestServeraswellasClient 102 ConsidertheServerPortionofthemainOMethod 103 GettingtheDES SecretPasswordfromOracle 103 Seeing theNegotiatedAlgorithmforPassword-BasedEncryption 104 CallingOracleDatabaseto getEncryptedData 105 TestingOracleDatabaseEncryptandLocal Decrypt Data 106 SendingEncryptedDatatoOracle 107 Testing Our Secure Client/ServerData Transmission 107 ChapterReview 108 Chapter7: Data Encryption in Transit 111 Security AdministratorActivities 111 GrantingMoreSystemPrivilegestotheApplicationSecurityUser 112 PermittingUsersto Execute PackagesinOtherSchemas 112 Application Security User Activities 112 CreatingaTableforErrorLogging 113 CreatingaTableforManaging Our ErrorLog Table 114 CreatinganErrorLog ManagementProcedure 115 CreatingaTriggerto MaintaintheErrorLogTable 116 TestingtheTrigger 117 x CONTENTS Updating theApplication Security Package 117 CreatinganErrorLogging Procedure 118 ExecutingPackage SpecificationandBody 118 Methodsfor Using and Testing Encryption in Transit 119 MethodtoBuildtheSecretPassword Key 119 TemporaryMethodto ResetAllKeys 120 Loading Updated OracleJavaSecure ClassintoOracle 121 Security Structuresforthe HR User 121 ExploringPrivilegesThatEnable HR Tasks 121 CreatingtheHR SecurityPackage 122 SelectingSensitiveDataColumnsfromEMPLOYEES 122 SelectingAllDataasaSingleSensitiveString 124 SelectingSensitiveDataforanEmployeeID 125 RevisingProcedure to GetSharedPassphrase 125 UpdatingSensitiveDataColumnsin EMPLOYEES 125 AvoidingSQL Injection 129 DemonstratingFailureto SQLInject inStored Procedure 130 ExecutingtheHR PackageSpecificationandBody 131 Inserting an EMPLOYEES Record:Update a Sequence 131 Demonstrations andTests ofEncrypted Data Exchange 133 SomePreliminarySteps 133 SelectingEncryptedDatafromEMPLOYEES 135 SelectingAll Columns inEncrypted String 137 SendingEncrypted Datato OracleDatabaseforInsert/Update 138 Selectinga SingleRowfromEMPLOYEES 139 SelectingEMPLOYEES DatabyLastName:TrySQL Injection 139 SelectingEMPLOYEES DatabyRAW: TrySQL Injection 140 TestingEncryptionFailurewithNew Client Keys 140 CONTENTS TestingFailurewithNewOracleConnection 141 SomeClosingRemarks 141 Executing theDemonstrationsand Tests 142 ObservingtheResults 142 DemonstratingScenarios 143 QueryingEmployeestoSee Updates 144 Packaging Template to Implement Encryption 144 TemplateforOracleApplicationSecurityStructures 144 TemplateforJavaCallstoApplicationSecurity 145 JavaArchivefor Use byApplications 145 Don'tStop Now 145 ChapterReview 146 n Chapter 8: Single Sign-On 149 Another Layer ofAuthentication? 149 Who Is Logged-ln on theClient? 150 FindaBetterSourceofOS UserIdentity 150 UseNTSystemorUnixSystemtoGetIdentity 150 Do Cross-Platform-Specific Coding withReflection 151 Assure MoreStringentOSIdentity 152 Access Oracle Databaseas Our Identified User 154 ExaminetheOracleSSO OptionsforProgrammers 154 SetaClientIdentifier 155 Prepare toAccessHR Data 155 Update p_check_hrview_accessProcedure, Non-Proxy Sessions 156 AssureClientIdentifierandOSJJSER 157 AuditActivitywithClientIdentifierSet 157 xii * CONTENTS Proxy Sessions 158 CreateIndividualPerson UsersinOracle 158 Proxyfrom UsersIDENTIFIEDEXTERNALLY 159 Establisha ProxySession 159 Update p_check_hrview_accessProcedure, ProxySessions 161 AuditProxySessions 161 Using Connection Pools 162 ProxyConnections fromanOCIConnectionPool 162 ProxySessionsfromaThinClientConnectionPool 166 UniversalConnectionPool 169 Application Use ofOracleSSO 171 OurExample ApplicationOracleSSO 172 UpdatestoOracleJavaSecure 173 A CodeTemplatetoGiveDevelopers 175 Chapter Review 175 Chapter9:Two-FactorAuthentication 177 GetOracle DatabasetoSend E-Mail 178 Installing UTLJWAIL 178 GrantingAccesstoUTL_MAIL 179 TestingSending E-Mail 180 Getting Oracle Databaseto Browse Web Pages 181 DelegatingJavaPolicytoSecurityAdministrator 181 PermittingApplicationSecurityUsertoReadWeb Pages 182 The Two-FactorAuthentication Process 183 Security Considerationsfor Two-Factor Distribution Avenues 183 SecurityIssueswithTwo-FactorDeliveryto E-Mail 183 SecurityIssueswithTwo-FactorDeliveryto Pagers 184 xiii
Description: