Oracle9i Java security

⇐ Назад
272
273
274
275
276
277
278279280
281
282
283
284
285
286
287
Далее ⇒

Oracle9i JVM security is based on and supports Java 2 security, in which permissions are granted on a class-by-class basis. This is a much more sophisticated and fine-grained approach to security. A detailed treatment of this topic is outside the scope of this book; please see the Oracle documentation for details. I will, however, offer some examples in this section to give you a sense of the kind of security-related code you could write in Oracle9i.

Generally, you will use the DBMS_JAVA.GRANT_PERMISSION procedure to grant the appropriate permissions. Here is an example of calling that program to give the BATCH schema permission to read and write the lastorder.log file:
CALL DBMS_JAVA.GRANT_PERMISSION( 'BATCH', 'java.io.FilePermission', '/apps/OE/lastorder.log', 'read,write');
And here is a sequence of commands that first grants permission to access files in a directory, and then restricts permission to perform operations on a particular file:
CONNECT OE_admin/OE_admin REM Grant permission to all users (PUBLIC) to be able to read and writeREM all files in /tmp.CALL DBMS_JAVA.GRANT_PERMISSION('PUBLIC', 'java.io.FilePermission', '/tmp/*', 'read,write'); REM Limit permission to all users (PUBLIC) from reading or writing the REM password file in /tmp. CALL DBMS_JAVA.GRANT_PERMISSION('PUBLIC', 'java.io.FilePermission', '/tmp/password', 'read,write'); REM By providing a more specific rule that overrides the limitation,REM OE_admin can read and write /tmp/password.CALL DBMS_JAVA.GRANT_PERMISSION('OE_admin', 'java.io.FilePermission', '/tmp/password', 'read,write');COMMIT;
22.3 A Simple Demonstration

Before diving into the details, let's walk through all the steps needed to access Java from within PL/SQL. In the process, I'll introduce the various pieces of technology you need to get the job done.

Say that I need to be able to delete a file from within PL/SQL. Prior to Oracle 8.1, I had the following options:

· In Oracle 7.3 (and above), I could send a message to a database pipe, and then have a C listener program grab the message ("Delete file X") and do all the work.

· In Oracle 8.0, I could set up a library that pointed to a C DLL or shared library, and then from within PL/SQL call a program in that library to delete the file.

The pipe technique is handy, but it is a clumsy workaround. The external procedure implementation in Oracle 8.0 is a better solution, but it is also less than straightforward, especially if you don't know the C language. So the Java solution looks as if it might be the best one all around. Although some basic knowledge of Java is required, one does not need the same level of skill that would be required to write the equivalent code in C. Java comes with prebuilt ( foundation) classes that offer clean, easy-to-use APIs to a wide array of functionality, including file I/O.

Here are the steps that I will perform in this demonstration:

1. Identify the Java functionality I need to access.

2. Build a class of my own to make the underlying Java feature callable through PL/SQL.

3. Compile the class and load it into the database.

4. Build a PL/SQL program to call the class method I created.

5. Delete files from within PL/SQL.

Oracle9i Release 2 offers an enhanced version of the UTL_FILE built-in package that allows you to delete a file by calling the UTL_FILE.FREMOVE program.

⇐ Назад
272
273
274
275
276
277
278279280
281
282
283
284
285
286
287
Далее ⇒