SUMMARY

SEARCH

Disclaimer: Authors have full rights over their works. Reproduction of any part of the content is prohibited without prior authorization.

BOOK EXPERT ORACLE AND JAVA SECURITY

SUMMARY

492

Chapter 1: Introduction
Requirements
For Windows and UNIX/Linux Users.
Background
How to Use This Book.
Organization of This Book
Java Objects and Oracle Database Structures
Chapter Review.
Chapter 2: Oracle Database Security
Finding a Test Oracle Database.
Working from an Existing Oracle Database
Oracle Users and Schemas.
SQL*Plus,SQL Developer,JDeveloper,or TOAD.
Organization of the Next Few Sections
Working as the SYS User
System Privileges
Roles
Security Administrator User
Security Administrator Role
The Audit Trail
The Data Dictionary
Working as the Security Administrator
Acquire secadm_role from a SQL*Plus Local Connection
Toggle Between Roles.
Create an Application Security User
Create an Application User
Create the HR View Role
Audit Changes to Security Administrator Procedures
Audit Failed Attempts to Access HR Data
Working as the HR Schema User
Sensitive Data in the HR Sample Schema.
Public View of Employees.
Sensitive View of EMPLOYEES
Test Application User Access
Audit Trail Logs for the Sensitive View
Regarding Synonyms.
Chapter Review.
Chapter 3: Secure Java Development Concepts
Java Development Kit
Oracle Java Database Connectivity
JAR File Directory Separator.
Java Packages
Development at Command Prompt
Environment
Beginning Java Syntax
Byte Code Compilation and the Java Virtual Machine
Java Code and Syntax Concepts
Methods
Values
Members
Objects
Classes and Null
Garbage Collection
Primitives.
Strings
Static Modifier and the main() Method
Public and Private Modifiers.
Exceptions
Exception Handling Syntax
Exception Handling Approaches
Chapter 1: Introduction
Requirements
For Windows and UNIX/Linux Users.
Background
How to Use This Book.
Organization of This Book
Java Objects and Oracle Database Structures
Chapter Review.
Chapter 2: Oracle Database Security
Finding a Test Oracle Database.
Working from an Existing Oracle Database
Oracle Users and Schemas.
SQL*Plus,SQL Developer,JDeveloper,or TOAD.
Organization of the Next Few Sections
Working as the SYS User
System Privileges
Roles
Security Administrator User
Security Administrator Role
The Audit Trail
The Data Dictionary
Working as the Security Administrator
Acquire secadm_role from a SQL*Plus Local Connection
Toggle Between Roles.
Create an Application Security User
Create an Application User
Create the HR View Role
Audit Changes to Security Administrator Procedures
Audit Failed Attempts to Access HR Data
Working as the HR Schema User
Sensitive Data in the HR Sample Schema.
Public View of Employees.
Sensitive View of EMPLOYEES
Test Application User Access
Audit Trail Logs for the Sensitive View
Regarding Synonyms.
Chapter Review.
Chapter 3: Secure Java Development Concepts
Java Development Kit
Oracle Java Database Connectivity
JAR File Directory Separator.
Java Packages
Development at Command Prompt
Environment
Beginning Java Syntax
Byte Code Compilation and the Java Virtual Machine
Java Code and Syntax Concepts
Methods
Values
Members
Objects
Classes and Null
Garbage Collection
Primitives.
Strings
Static Modifier and the main() Method
Public and Private Modifiers.
Exceptions
Exception Handling Syntax
Exception Handling Approaches
Java Virtual Machine Sandbox
Chapter Review.
Chapter 4: Java Stored Procedures
Java Stored Procedure Example
Acquiring the Privilege to Load a Java Stored Procedure
Loading Java in the Oracle Database
Handling Exceptions in a Java Stored Procedure.
Calling Oracle Database from Java
Method Syntax in Java Stored Procedures
Calling Java from Oracle Database
Installing and Testing the Example Code
Review The Roster of Participants
Cleaning Up
The Oracle Java Virtual Machine
Oracle JVM Based on Java SE 1.5
A Separate JVM for Each Oracle Session
Oracle JVM Sandbox.
Auto-Commit Disabled in the Oracle JVM
Chapter Review.
Chapter 5: Public Key Encryption
Generate Keys on the Client
RSA Public Key Cryptography
Java Code to Generate and Use RSA Keys.
Creating a Set of Keys
Hand the Public Key Across the Network
Serialize Objects
Building the Public Key from Artifacts.
Generating the RSA Cipher
Using the RSA Cipher.
Getting RSA Public Key Artifacts
Using Static Methods and Private Constructor
Instantiating a Connection Member from a Static Initializer
Using One Code for Both Client and Server
Testing on the Client
Writing the main() Method
Running the Code
Key Exchange
Creating a Function to Encrypt Data with Public Key
Creating a Procedure to get SYSDATE in Encrypted Form
Loading OracleJavaSecure Java into Oracle Database
Encrypting Data with Public Key
Use Stacked Calls
Decrypting Data with Private Key
Testing on Client and Server.
Using IN and OUT Parameters in an OracleCallableStatement
Handle Errors Reported by Oracle Database
Decrypting at the Client
Running Our Code Again.
Observing the Results
Removing the Demonstration Oracle Structures
Chapter Review.
Chapter 6: Secret Password Encryption
Approach
Java Code for Secret Password Encryption.
Sharing the Artifacts of a Secret Password Key.
Initializing Static Class Members
Evaluating the Java 1.5 Password-Based Encryption Bug
Coding an Automatic Upgrade: Negotiated Algorithm
Generating the Password Key
Encrypting with the Public RSA Key
Returning Secret Password Key Artifacts to the Client
Encrypting Data with Our Secret Password.
Oracle Structures for Secret Password Encryption
Package to Get Secret Password Artifacts and Encrypted Data
Application Security Package Specification
Application Security Package Body: Functions
Application Security Package Body: Procedures
Java Methods for Secret Password Decryption
Decrypting Data Using the Secret Password Key.
Decrypting the DES Passphrase using RSA Private Key.
Ancillary Methods for Array Conversion
Method Used to Show Actual Algorithm.
Testing DES Encryption on the Client Only
Running the Code
Observing the Results.
Coding to Test Client/Server Secret Password Encryption
Setting the Code to Test Server as well as Client.
Consider the Server Portion of the main() Method
Getting the DES Secret Password from Oracle.
Seeing the Negotiated Algorithm for Password-Based Encryption
Calling Oracle Database to get Encrypted Data.
Testing Oracle Database Encrypt and Local Decrypt Data
Sending Encrypted Data to Oracle.
Testing Our Secure Client/Server Data Transmission.
Chapter Review.
Chapter 7: Data Encryption in Transit
Security Administrator Activities
Granting More System Privileges to the Application Security User.
Permitting Users to Execute Packages in Other Schemas
Application Security User Activities.
Creating a Table for Error Logging
Creating a Table for Managing Our Error Log Table
Creating an Error Log Management Procedure
Creating a Trigger to Maintain the Error Log Table
Testing the Trigger
Updating the Application Security Package
Creating an Error Logging Procedure
Executing Package Specification and Body.
Methods for Using and Testing Encryption in Transit
Method to Build the Secret Password Key
Temporary Method to Reset All Keys
Loading Updated OracleJavaSecure Class into Oracle
Security Structures for the HR User
Exploring Privileges That Enable HR Tasks
Creating the HR Security Package.
Selecting Sensitive Data Columns from EMPLOYEES
Selecting All Data as a Single Sensitive String
Selecting Sensitive Data for an Employee ID
Revising Procedure to Get Shared Passphrase
Updating Sensitive Data Columns in EMPLOYEES
Avoiding SQL Injection.
Demonstrating Failure to SQL Inject in Stored Procedure
Executing the HR Package Specification and Body
Inserting an EMPLOYEES Record: Update a Sequence
Demonstrations and Tests of Encrypted Data Exchange
Some Preliminary Steps
Selecting Encrypted Data from EMPLOYEES
Selecting All Columns in Encrypted String
Sending Encrypted Data to Oracle Database for Insert/Update
Selecting a Single Row from EMPLOYEES
Selecting EMPLOYEES Data by Last Name: Try SQL Injection
Selecting EMPLOYEES Data by RAW: Try SQL Injection.
Testing Encryption Failure with New Client Keys
Testing Failure with New Oracle Connection.
Some Closing Remarks
Executing the Demonstrations and Tests
Observing the Results
Demonstrating Scenarios
Querying Employees to See Updates
Packaging Template to Implement Encryption
Template for Oracle Application Security Structures
Template for Java Calls to Application Security
Java Archive for Use by Applications
Don’t Stop Now.
Chapter Review.
Chapter 8: Single Sign-On
Another Layer of Authentication?
Who Is Logged-In on the Client?
Find a Better Source of OS User Identity
Use NTSystem or UnixSystem to Get Identity
Do Cross-Platform-Specific Coding with Reflection
Assure More Stringent OS Identity
Access Oracle Database as Our Identified User
Examine the Oracle SSO Options for Programmers.
Set a Client Identifier
Prepare to Access HR Data
Update p_check_hrview_access Procedure,Non-Proxy Sessions
Assure Client Identifier and OS_USER
Audit Activity with Client Identifier Set
Proxy Sessions.
Create Individual Person Users in Oracle
Proxy from Users IDENTIFIED EXTERNALLY.
Establish a Proxy Session
Update p_check_hrview_access Procedure,Proxy Sessions
Audit Proxy Sessions
Using Connection Pools
Proxy Connections from an OCI Connection Pool
Proxy Sessions from a Thin Client Connection Pool
Universal Connection Pool
Application Use of Oracle SSO
Our Example Application Oracle SSO.
Updates to OracleJavaSecure
A Code Template to Give Developers.
Chapter Review.
Chapter 9: Two-Factor Authentication.
Get Oracle Database to Send E-Mail.
Installing UTL_MAIL
Granting Access to UTL_MAIL
Testing Sending E-Mail.
Getting Oracle Database to Browse Web Pages
Delegating Java Policy to Security Administrator.
Permitting Application Security User to Read Web Pages.
The Two-Factor Authentication Process
Security Considerations for Two-Factor Distribution Avenues
Security Issues with Two-Factor Delivery to E-Mail.
Security Issues with Two-Factor Delivery to Pagers
Security Issues with Two-Factor Delivery to Cell Phones
Preferred Two-Factor Delivery
Oracle Structures Supporting Two-Factor Authentication.
Creating the SMS Carrier Host Table
Creating a Table of Employee Mobile Numbers
Accessing HR Tables from Application Security Procedures.
Create the Two-Factor Codes Cache Table
Testing Cache Aging
Verifying Current Cached Two-Factor Pass Code
Sending Two-Factor Pass Codes
Updating the Secure Application Role,HRVIEW_ROLE Procedure
Update OracleJavaSecurity.java for Two-Factor Authentication
Setting Some Company-Specific Addresses
Compile Two-Factor Delivery Route Codes: Binary Math
Exploring a Method to Distribute the Two-Factor Codes
Distributing the Code to SMS
Distributing the Code to Pager URL
Distributing the Code to E-Mail
Testing Two-Factor Authentication
Updating OracleJavaSecure Java in Oracle.
Editing the Test Code
Planning to Pass the Two-Factor Code as an Argument to Main
Planning to Acquire the Secure Application Role
Running the Tests and Observing the Results
Chapter Review.
Chapter 10: Application Authorization
Secure Application Role Procedure for Multiple Applications
Rebuild Two-Factor Cache Table for Multiple Applications.
Update Two-Factor Code Functions to Use Application ID
Move Test for SSO to Separate Function.
Add an Oracle Package for Use Only by Application Security
Add Helper Function to Get APP_ROLE
Replace Procedure for hrview_role Access with Dynamic Procedure
Rewrite and Refactor Method to Distribute Two-Factor Code
Procedure to get Employee Addresses for Two-Factor Code Delivery
Stored Procedure to Update Two-Factor Code Cache
Changes to the Method to Distribute Two-Factor Codes.
Update to Two-Factor Distribution Formats
Application Authorization Overview.
User for Application Authorization
A New Profile with Limits and Unlimited
Application Verification User
The Application Verification Logon Trigger.
Application Verification Logon Procedure.
Get Off Function.
Function to Find Database User.
Proxy Through Application Verification and Other Proxies
Auditing Application Verification
Structures for Application Authorization.
More Space for Application Security
Application Connection Registry Table
A Set of Connection Strings for an Application.
An Inner Class to Represent the Application
Implement an Inner Class in OracleJavaSecure.
Deserialization and Version UID
Set Application Context
Format the User-Input Two-Factor Code
Save Connection Strings from the Client Perspective
Method to Put Connection Strings in the List for an Application
Client Call to Store List of Connection Strings on Oracle
Save Connection Strings from the Server Perspective
Function to Call Java to Decrypt the List of Connection Strings
Method to Store List of Connection Strings for Application.
Oracle Procedures to Get Entries from the Application Registry
Get an Application Connection String: The Java Client Side.
Get an Oracle Connection from the List for an Application
Get List of Connection Strings from Oracle Database to Client App
Establish a Connection for Application Verification Processes
Get a List of Application Connection Strings: The Server Side
Test Application Authentication,Phase 1
Get New Structures into Oracle
Review Steps of Testing
Set the Application Context
Call to Get Application Connections
Send List of Connection Strings to Oracle Database for Storage
Get a Unique Connection for Use in This Application
Use or Lose Initial Application Verification Connection
Get an Application Connection and the Associated Secure Application Role
Get Encrypted Data with the Application Connection
Add More Application Connection Strings
Testing a Second Application
Objects We Have Never Seen
Place Stub Class on Oracle.
Get Application Authentication Connection and Role.
Test Application Authentication,Phase 2
Set the Application Context
Store the Connection Strings in Oracle.
Get an Application Connection with Role
See the Proxy Connection.
Get Encrypted Data from Oracle
Chapter Review.
Chapter 11: Enhancing Security
Hide the APPVER Connection String
Get It from a Second Source/Server
Get It from a Native Call: JNI
Get It from an Encrypted Java Class
Get It from an Encrypted String
Get It from an Encoded String
Create an Oracle Client Wallet
Install the Oracle Client
Create the Wallet
Use the Wallet from SQL*Plus
Use the Wallet from Java.
Administer Wallet Security
Trace Oracle Client Code
Logging Oracle Thin Client Trace Data
Encrypt Data Stored on Oracle Database.
DBMS_CRYPTO Package
Passwords and Keys
Encryption at Rest Key Store
Functions to Encrypt/Decrypt Data at Rest
Wrap Utility
Changes to setDecryptConns()/getCryptConns().
Manage Connection Strings for Applications.
Create an Application Administrative User
Create an Administrative Role for Application Verification.
Delete Connection Strings
Copy Connection Strings from Previous Version of Application
Add Other Authentication Credentials.
Update Application Security Structures.
Authenticate on a Separate Oracle Instance
Create a New Oracle Database Instance
Create a New Oracle Service
Write the Create Database Command
Create and Configure the Database
Create a Database Link to the ORCL Instance
Revoke PUBLIC Grant on Sensitive Data Dictionary Views
Create the Remaining Structures for Application Authorization
Create Java Structures
Remove Application Verification from the ORCL Instance
Test Enhanced Security
Encode the APPVER User Password for APVER Instance.
Edit the Application Passwords to Be Used
Run Main to Test.
Run Main to Copy Connection Strings to New Version
Test from a Different Application,TestOracleJavaSecure
Compile and Run as Administrative User,OSADMIN
Run as Non-Administrative User,OSUSER
Chapter Review.
Chapter 12: Administration of Security
A Security Administration Interface
Application Login Screen
The Application Inner Class
Center Method
Login Screen Constructors
The Wait While Processing Modal Dialog.
Background Processing Thread.
The Continue Button
The Login Screen Closes
Security Administration Menu
Add/Modify User Functional Screen
Instantiate the AddUser Screen.
Initialize the Data Selection Components
Select an Existing Employee
Create a New Employee
Save Data for the Employee
User Administration Screen
Create the OJSAAdm User
Enable the OJSAAdm User Across a Database Link
Select an Existing User
Save Updates to the Administrative Privileges
Revoke User Access to Run Applications
Application Assignment Screen
Initializing the Data Selection Components.
Selecting an Available Proxy in the Table
Selecting a User from the List
Adding a Proxy to the User’s List
Removing a Proxy from the User’s List
Saving Updates to the User’s Proxies.
Application Registration Screen
The Application Verification Administrator Role.
The Create App Class Button.
Tables of Specific Application Administrators and Application to Class Registry
Security Table Access Analysis
The Register Application Button
Application Selection Screen.
Initializing the List of Applications.
Selecting the Manage Selected Application Button.
Connection String Editor.
Initializing the List of Connection Strings.
Selecting an Existing Connection String.
Updating a Connection String in the List
Saving the List of Connection Strings to the Database
Connection String Copy Screen
Limiting Certain Administrators to Certain Applications
Virtual Private Database
Adding a Dynamic Where Clause to Procedures
Adding a Dynamic Where Clause to a View.
Scripts Execution and Code Compilation.
Final Updates to OracleJavaSecure
Single Oracle Instance Code
Bootstrap OJSAdmin.
Chapter Review.
Appendix A: List of Methods from OracleJavaSecure Class
Appendix B: Oracle Procedures,Functions and Triggers for Oracle and Java
Security