Limit search to available items
Book Cover
E-book
Author Coffin, David

Title Expert Oracle and Java security : programming secure Oracle database applications with Java / by David Coffin
Published [Berkeley, CA] : Apress, ©2011

Copies

Description 1 online resource (xxvi, 442 pages) : illustrations
Series The expert's voice in Oracle
Expert's voice in Oracle.
Contents Machine generated contents note: ch. 1 Introduction -- Requirements -- For Windows and UNIX/Linux Users -- Background -- How to Use This Book -- Organization of This Book -- Java Objects and Oracle Database Structures -- Chapter Review -- ch. 2 Oracle Database Security -- Finding a Test Oracle Database -- Working from an Existing Oracle Database -- Oracle Users and Schemas -- SQL Plus, SQL Developer, JDeveloper, or TOAD -- Organization of the Next Few Sections -- Working as the SYS User -- System Privileges -- Roles -- Security Administrator User -- Security Administrator Role -- Audit Trail -- Data Dictionary -- Working as the Security Administrator -- Acquire secadm_role from a SQL Plus Local Connection -- Toggle Between Roles -- Create an Application Security User -- Create an Application User -- Create the HR View Role -- Audit Changes to Security Administrator Procedures -- Audit Failed Attempts to Access HR Data -- Working as the HR Schema User -- Sensitive Data in the HR Sample Schema -- Public View of Employees -- Sensitive View of EMPLOYEES -- Test Application User Access -- Audit Trail Logs for the Sensitive View -- Regarding Synonyms -- Chapter Review -- ch. 3 Secure Java Development Concepts -- Java Development Kit -- Oracle Java Database Connectivity -- JAR File Directory Separator -- Java Packages -- Development at Command Prompt -- Environment -- Beginning Java Syntax -- Byte Code Compilation and the Java Virtual Machine -- Java Code and Syntax Concepts -- Methods -- Values -- Members -- Objects -- Classes and Null -- Garbage Collection -- Primitives -- Strings -- Static Modifier and the mainO Method -- Public and Private Modifiers -- Exceptions -- Exception Handling Syntax -- Exception Handling Approaches -- Java Virtual Machine Sandbox -- Chapter Review -- ch. 4 Java Stored Procedures -- Java Stored Procedure Example -- Acquiring the Privilege to Load a Java Stored Procedure -- Loading Java in the Oracle Database -- Handling Exceptions in a Java Stored Procedure -- Calling Oracle Database from Java -- Method Syntax in Java Stored Procedures -- Calling Java from Oracle Database -- Installing and Testing the Example Code -- Review The Roster of Participants -- Cleaning Up -- Oracle Java Virtual Machine -- Oracle JVM Based on Java SE1.5 -- Separate JVM for Each Oracle Session -- Oracle JVM Sandbox -- Auto-Commit Disabled in the Oracle JVM -- Chapter Review -- ch. 5 Public Key Encryption -- Generate Keys on the Client -- RSA Public Key Cryptography -- Java Code to Generate and Use RSA Keys -- Creating a Set of Keys -- Hand the Public Key Across the Network -- Serialize Objects -- Building the Public Key from Artifacts -- Generating the RSA Cipher -- Using the RSA Cipher -- Getting RSA Public Key Artifacts -- Using Static Methods and Private Constructor -- Instantiating a Connection Member from a Static Initializer -- Using One Code for Both Client and Server -- Testing on the Client -- Writing the mainQ Method -- Running the Code -- Key Exchange -- Creating a Function to Encrypt Data with Public Key -- Creating a Procedure to get SYSDATE in Encrypted Form -- Loading OracleJavaSecure Java into Oracle Database -- Encrypting Data with Public Key -- Use Stacked Calls -- Decrypting Data with Private Key -- Testing on Client and Server -- Using IN and OUT Parameters in an OracleCallableStatement -- Handle Errors Reported by Oracle Database -- Decrypting at the Client -- Running Our Code Again -- Observing the Results -- Removing the Demonstration Oracle Structures -- Chapter Review -- ch. 6 Secret Password Encryption -- Approach -- Java Code for Secret Password Encryption -- Sharing the Artifacts of a Secret Password Key -- Initializing Static Class Members -- Evaluating the Java 1.5 Password-Based Encryption Bug -- Coding an Automatic Upgrade: Negotiated Algorithm -- Generating the Password Key -- Encrypting with the Public RSA Key -- Returning Secret Password Key Artifacts to the Client -- Encrypting Data with Our Secret Password -- Oracle Structures for Secret Password Encryption -- Package to Get Secret Password Artifacts and Encrypted Data -- Application Security Package Specification -- Application Security Package Body: Functions -- Application Security Package Body: Procedures -- Java Methods for Secret Password Decryption -- Decrypting Data Using the Secret Password Key -- Decrypting the DES Passphrase using RSA Private Key -- Ancillary Methods for Array Conversion -- Method Used to Show Actual Algorithm -- Testing DES Encryption on the Client Only -- Running the Code -- Observing the Results -- Coding to Test Client/Server Secret Password Encryption -- Setting the Code to Test Server as well as Client -- Consider the Server Portion of the mainO Method -- Getting the DES Secret Password from Oracle -- Seeing the Negotiated Algorithm for Password-Based Encryption -- Calling Oracle Database to get Encrypted Data -- Testing Oracle Database Encrypt and Local Decrypt Data -- Sending Encrypted Data to Oracle -- Testing Our Secure Client/Server Data Transmission -- Chapter Review -- ch. 7 Data Encryption in Transit -- Security Administrator Activities -- Granting More System Privileges to the Application Security User -- Permitting Users to Execute Packages in Other Schemas -- Application Security User Activities -- Creating a Table for Error Logging -- Creating a Table for Managing Our Error Log Table -- Creating an Error Log Management Procedure -- Creating a Trigger to Maintain the Error Log Table -- Testing the Trigger -- Updating the Application Security Package -- Creating an Error Logging Procedure -- Executing Package Specification and Body -- Methods for Using and Testing Encryption in Transit -- Method to Build the Secret Password Key -- Temporary Method to Reset All Keys -- Loading Updated OracleJavaSecure Class into Oracle -- Security Structures for the HR User -- Exploring Privileges That Enable HR Tasks -- Creating the HR Security Package -- Selecting Sensitive Data Columns from EMPLOYEES -- Selecting All Data as a Single Sensitive String -- Selecting Sensitive Data for an Employee ID -- Revising Procedure to Get Shared Passphrase -- Updating Sensitive Data Columns in EMPLOYEES -- Avoiding SQL Injection -- Demonstrating Failure to SQL Inject in Stored Procedure -- Executing the HR Package Specification and Body -- Inserting an EMPLOYEES Record: Update a Sequence -- Demonstrations and Tests of Encrypted Data Exchange -- Some Preliminary Steps -- Selecting Encrypted Data from EMPLOYEES -- Selecting All Columns in Encrypted String -- Sending Encrypted Data to Oracle Database for Insert/Update -- Selecting a Single Row from EMPLOYEES -- Selecting EMPLOYEES Data by Last Name: Try SQL Injection -- Selecting EMPLOYEES Data by RAW: Try SQL Injection -- Testing Encryption Failure with New Client Keys -- Testing Failure with New Oracle Connection -- Some Closing Remarks -- Executing the Demonstrations and Tests -- Observing the Results -- Demonstrating Scenarios -- Querying Employees to See Updates -- Packaging Template to Implement Encryption -- Template for Oracle Application Security Structures -- Template for Java Calls to Application Security -- Java Archive for Use by Applications -- Don't Stop Now -- Chapter Review -- ch
8 Single Sign-On -- Another Layer of Authentication? -- Who Is Logged-ln on the Client? -- Find a Better Source of OS User Identity -- Use NTSystem or UnixSystem to Get Identity -- Do Cross-Platform-Specific Coding with Reflection -- Assure More Stringent OS Identity -- Access Oracle Database as Our Identified User -- Examine the Oracle SSO Options for Programmers -- Set a Client Identifier -- Prepare to Access HR Data -- Update p_check_hrview_access Procedure, Non-Proxy Sessions -- Assure Client Identifier and OSJJSER -- Audit Activity with Client Identifier Set -- Proxy Sessions -- Create Individual Person Users in Oracle -- Proxy from Users IDENTIFIED EXTERNALLY -- Establish a Proxy Session -- Update p_check_hrview_access Procedure, Proxy Sessions -- Audit Proxy Sessions -- Using Connection Pools -- Proxy Connections from an OCI Connection Pool -- Proxy Sessions from a Thin Client Connection Pool -- Universal Connection Pool -- Application Use of Oracle SSO -- Our Example Application Oracle SSO -- Updates to OracleJavaSecure -- Code Template to Give Developers -- Chapter Review -- ch. 9 Two-Factor Authentication -- Get Oracle Database to Send E-Mail -- Installing UTL_MAIL -- Granting Access to UTL_MAIL -- Testing Sending E-Mail -- Getting Oracle Database to Browse Web Pages -- Delegating Java Policy to Security Administrator -- Permitting Application Security User to Read Web Pages -- Two-Factor Authentication Process -- Security Considerations for Two-Factor Distribution Avenues -- Security Issues with Two-Factor Delivery to E-Mail -- Security Issues with Two-Factor Delivery to Pagers -- Security Issues with Two-Factor Delivery to Cell Phones -- Preferred Two-Factor Delivery -- Oracle Structures Supporting Two-Factor Authentication -- Creating the SMS Carrier Host Table -- Creating a Table of Employee Mobile Numbers -- Accessing HR Tables from Application Security Procedures -- Create the Two-Factor Codes Cache Table -- Testing Cache Aging -- Verifying Current Cached Two-Factor Pass Code -- Sending Two-Factor Pass Codes -- Updating the Secure Application Role, HRVIEW_ROLE Procedure -- Update OracleJavaSecurity.java for Two-Factor Authentication
Note continued: Setting Some Company-Specific Addresses -- Compile Two-Factor Delivery Route Codes: Binary Math -- Exploring a Method to Distribute the Two-Factor Codes -- Distributing the Code to SMS -- Distributing the Code to Pager URL -- Distributing the Code to E-Mail -- Testing Two-Factor Authentication -- Updating OracleJavaSecure Java in Oracle -- Editing the Test Code -- Planning to Pass the Two-Factor Code as an Argument to Main -- Planning to Acquire the Secure Application Role -- Running the Tests and Observing the Results -- Chapter Review -- ch. 10 Application Authorization -- Secure Application Role Procedure for Multiple Applications -- Rebuild Two-Factor Cache Table for Multiple Applications -- Update Two-Factor Code Functions to Use Application ID -- Move Test for SSO to Separate Function -- Add an Oracle Package for Use Only by Application Security -- Add Helper Function to Get APP_R0LE -- Replace Procedure for hrview_role Access with Dynamic Procedure -- Rewrite and Refactor Method to Distribute Two-Factor Code -- Procedure to get Employee Addresses for Two-Factor Code Delivery -- Stored Procedure to Update Two-Factor Code Cache -- Changes to the Method to Distribute Two-Factor Codes -- Update to Two-Factor Distribution Formats -- Application Authorization Overview -- User for Application Authorization -- New Profile with Limits and Unlimited -- Application Verification User -- Application Verification Logon Trigger -- Application Verification Logon Procedure -- Get Off Function -- Function to Find Database User -- Proxy Through Application Verification and Other Proxies -- Auditing Application Verification -- Structures for Application Authorization -- More Space for Application Security -- Application Connection Registry Table -- Set of Connection Strings for an Application -- Inner Class to Represent the Application -- Implement an Inner Class in OracleJavaSecure -- Deserialization and Version UID -- Set Application Context -- Format the User-Input Two-Factor Code -- Save Connection Strings from the Client Perspective -- Method to Put Connection Strings in the List for an Application -- Client Call to Store List of Connection Strings on Oracle -- Save Connection Strings from the Server Perspective -- Function to Call Java to Decrypt the List of Connection Strings -- Method to Store List of Connection Strings for Application -- Oracle Procedures to Get Entries from the Application Registry -- Get an Application Connection String: The Java Client Side -- Get an Oracle Connection from the List for an Application -- Get List of Connection Strings from Oracle Database to Client App -- Establish a Connection for Application Verification Processes -- Get a List of Application Connection Strings: The Server Side -- Test Application Authentication, Phase 1 -- Get New Structures into Oracle -- Review Steps of Testing -- Set the Application Context -- Call to Get Application Connections -- Send List of Connection Strings to Oracle Database for Storage -- Get a Unique Connection for Use in This Application -- Use or Lose Initial Application Verification Connection -- Get an Application Connection and the Associated Secure Application Role -- Get Encrypted Data with the Application Connection -- Add More Application Connection Strings -- Testing a Second Application -- Objects We Have Never Seen -- Place Stub Class on Oracle -- Get Application Authentication Connection and Role -- Test Application Authentication, Phase 2 -- Set the Application Context -- Store the Connection Strings in Oracle -- Get an Application Connection with Role -- See the Proxy Connection -- Get Encrypted Data from Oracle -- Chapter Review -- ch. 11 Enhancing Security -- Hide the APPVER Connection String -- Get It from a Second Source/Server -- Get It from a Native Call: JNI -- Get It from an Encrypted Java Class -- Get It from an Encrypted String -- Get It from an Encoded String -- Create an Oracle Client Wallet -- Install the Oracle Client -- Create the Wallet -- Use the Wallet from SQL Plus -- Use the Wallet from Java -- Administer Wallet Security -- Trace Oracle Client Code -- Logging Oracle Thin Client Trace Data -- Encrypt Data Stored on Oracle Database -- DBMS_CRYPTO Package -- Passwords and Keys -- Encryption at Rest Key Store -- Functions to Encrypt/Decrypt Data at Rest -- Wrap Utility -- Changes to setOecryptConnsO/getCryptConnsO -- Manage Connection Strings for Applications -- Create an Application Administrative User -- Create an Administrative Role for Application Verification -- Delete Connection Strings -- Copy Connection Strings from Previous Version of Application -- Add Other Authentication Credentials -- Update Application Security Structures -- Authenticate on a Separate Oracle Instance -- Create a New Oracle Database Instance -- Create a New Oracle Service -- Write the Create Database Command -- Create and Configure the Database -- Create a Database Link to the ORCL Instance -- Revoke PUBLIC Grant on Sensitive Data Dictionary Views -- Create the Remaining Structures for Application Authorization -- Create Java Structures -- Remove Application Verification from the ORCL Instance -- Test Enhanced Security -- Encode the APPVER User Password for APVER Instance -- Edit the Application Passwords to Be Used -- Run Main to Test -- Run Main to Copy Connection Strings to New Version -- Test from a Different Application, TestOracleJavaSecure -- Compile and Run as Administrative User, OSADMIN -- Run as Non-Administrative User, OSUSER -- Chapter Review -- ch. 12 Administration of Security -- Security Administration Interface -- Application Login Screen -- Application Inner Class -- Center Method -- Login Screen Constructors -- "Wait While Processing" Modal Dialog -- Background Processing Thread -- Continue Button -- Login Screen Closes -- Security Administration Menu -- Add/Modify User Functional Screen -- Instantiate the AddUser Screen -- Initialize the Data Selection Components -- Select an Existing Employee -- Create a New Employee -- Save Data for the Employee -- User Administration Screen -- Create the OJSAAdm User -- Enable the OJSAAdm User Across a Database Link -- Select an Existing User -- Save Updates to the Administrative Privileges -- Revoke User Access to Run Applications -- Application Assignment Screen -- Initializing the Data Selection Components -- Selecting an Available Proxy in the Table -- Selecting a User from the List -- Adding a Proxy to the User's List -- Removing a Proxy from the User's List -- Saving Updates to the User's Proxies -- Application Registration Screen -- Application Verification Administrator Role -- Create App Class Button -- Tables of Specific Application Administrators and Application to Class Registry -- Security Table Access Analysis -- Register Application Button -- Application Selection Screen -- Initializing the List of Applications -- Selecting the Manage Selected Application Button -- Connection String Editor -- Initializing the List of Connection Strings -- Selecting an Existing Connection String -- Updating a Connection String in the List -- Saving the List of Connection Strings to the Database -- Connection String Copy Screen -- Limiting Certain Administrators to Certain Applications -- Virtual Private Database -- Adding a Dynamic Where Clause to Procedures -- Adding a Dynamic Where Clause to a View -- Scripts Execution and Code Compilation -- Final Updates to OracleJavaSecure -- Single Oracle Instance Code -- Bootstrap OJSAdmin -- Chapter Review
Summary Expert Oracle and Java Security: Programming Secure Oracle Database Applications with Java provides resources that every Java and Oracle database application programmer needs to ensure that they have guarded the security of the data and identities entrusted to them. You'll learn to consider potential vulnerabilities, and to apply best practices in secure Java and PL/SQL coding. Author David Coffin shows how to develop code to encrypt data in transit and at rest, to accomplish single sign-on with Oracle proxy connections, to generate and distribute two-factor authentication tokens from the Oracle server using pagers, cell phones (SMS), and e-mail, and to securely store and distribute Oracle application passwords. Early chapters lay the foundation for effective security in an Oracle/Java environment. Each of the later chapters brings example code to a point where it may be applied as-is to address application security issues. Templates for applications are also provided to help you bring colleagues up to the same secure application standards. If you are less familiar with either Java or Oracle PL/SQL, you will not be left behind; all the concepts in this book are introduced as to a novice and addressed as to an expert. Helps you protect against data loss, identity theft, SQL injection, and address spoofing Provides techniques for encryption on network and disk, code obfuscation and wrap, database hardening, single sign-on and two-factor Provides what database administrators need to know about secure password distribution, Java secure programming, Java stored procedures, secure application roles in Oracle, logon triggers, database design, various connection pooling schemes, and much more
Analysis computerwetenschappen
computer sciences
programmeren
programming
gegevensbeheer
data management
Information and Communication Technology (General)
Informatie- en communicatietechnologie (algemeen)
Notes Online resource; title from PDF title page (EBSCO, viewed November 29, 2017)
In Springer eBooks
SUBJECT Oracle (Computer file) http://id.loc.gov/authorities/names/n91015760
Oracle (Computer file) blmlsh
Oracle (Computer file) fast
Subject Database security.
Java (Computer program language)
Data encryption (Computer science)
Data protection.
COMPUTERS -- Programming Languages -- Java.
COMPUTERS -- Security -- General.
Informatique.
Data encryption (Computer science)
Data protection
Database security
Java (Computer program language)
Genre/Form Electronic books
Form Electronic book
ISBN 9781430238324
1430238321