Sumário Itens Encontrados: 418Chapter 1: IntroductionRequirementsFor Windows and UNIX/Linux Users.BackgroundHow to Use This Book.Organization of This BookJava Objects and Oracle Database StructuresChapter Review.Chapter 2: Oracle Database SecurityFinding a Test Oracle Database.Working from an Existing Oracle DatabaseOracle Users and Schemas.SQL*Plus,SQL Developer,JDeveloper,or TOAD.Organization of the Next Few SectionsWorking as the SYS UserSystem PrivilegesRolesSecurity Administrator UserSecurity Administrator RoleThe Audit TrailThe Data DictionaryWorking as the Security AdministratorAcquire secadm_role from a SQL*Plus Local ConnectionToggle Between Roles.Create an Application Security UserCreate an Application UserCreate the HR View RoleAudit Changes to Security Administrator ProceduresAudit Failed Attempts to Access HR DataWorking as the HR Schema UserSensitive Data in the HR Sample Schema.Public View of Employees.Sensitive View of EMPLOYEESTest Application User AccessAudit Trail Logs for the Sensitive ViewRegarding Synonyms.Chapter 3: Secure Java Development ConceptsJava Development KitOracle Java Database ConnectivityJAR File Directory Separator.Java PackagesDevelopment at Command PromptEnvironmentBeginning Java SyntaxByte Code Compilation and the Java Virtual MachineJava Code and Syntax ConceptsMethodsValuesMembersObjectsClasses and NullGarbage CollectionPrimitives.StringsStatic Modifier and the main() MethodPublic and Private Modifiers.ExceptionsException Handling SyntaxException Handling ApproachesJava Virtual Machine SandboxChapter 4: Java Stored ProceduresJava Stored Procedure ExampleAcquiring the Privilege to Load a Java Stored ProcedureLoading Java in the Oracle DatabaseHandling Exceptions in a Java Stored Procedure.Calling Oracle Database from JavaMethod Syntax in Java Stored ProceduresCalling Java from Oracle DatabaseInstalling and Testing the Example CodeReview The Roster of ParticipantsCleaning UpThe Oracle Java Virtual MachineOracle JVM Based on Java SE 1.5A Separate JVM for Each Oracle SessionOracle JVM Sandbox.Auto-Commit Disabled in the Oracle JVMChapter 5: Public Key EncryptionGenerate Keys on the ClientRSA Public Key CryptographyJava Code to Generate and Use RSA Keys.Creating a Set of KeysHand the Public Key Across the NetworkSerialize ObjectsBuilding the Public Key from Artifacts.Generating the RSA CipherUsing the RSA Cipher.Getting RSA Public Key ArtifactsUsing Static Methods and Private ConstructorInstantiating a Connection Member from a Static InitializerUsing One Code for Both Client and ServerTesting on the ClientWriting the main() MethodRunning the CodeKey ExchangeCreating a Function to Encrypt Data with Public KeyCreating a Procedure to get SYSDATE in Encrypted FormLoading OracleJavaSecure Java into Oracle DatabaseEncrypting Data with Public KeyUse Stacked CallsDecrypting Data with Private KeyTesting on Client and Server.Using IN and OUT Parameters in an OracleCallableStatementHandle Errors Reported by Oracle DatabaseDecrypting at the ClientRunning Our Code Again.Observing the ResultsRemoving the Demonstration Oracle StructuresChapter 6: Secret Password EncryptionApproachJava Code for Secret Password Encryption.Sharing the Artifacts of a Secret Password Key.Initializing Static Class MembersEvaluating the Java 1.5 Password-Based Encryption BugCoding an Automatic Upgrade: Negotiated AlgorithmGenerating the Password KeyEncrypting with the Public RSA KeyReturning Secret Password Key Artifacts to the ClientEncrypting Data with Our Secret Password.Oracle Structures for Secret Password EncryptionPackage to Get Secret Password Artifacts and Encrypted DataApplication Security Package SpecificationApplication Security Package Body: FunctionsApplication Security Package Body: ProceduresJava Methods for Secret Password DecryptionDecrypting Data Using the Secret Password Key.Decrypting the DES Passphrase using RSA Private Key.Ancillary Methods for Array ConversionMethod Used to Show Actual Algorithm.Testing DES Encryption on the Client OnlyObserving the Results.Coding to Test Client/Server Secret Password EncryptionSetting the Code to Test Server as well as Client.Consider the Server Portion of the main() MethodGetting the DES Secret Password from Oracle.Seeing the Negotiated Algorithm for Password-Based EncryptionCalling Oracle Database to get Encrypted Data.Testing Oracle Database Encrypt and Local Decrypt DataSending Encrypted Data to Oracle.Testing Our Secure Client/Server Data Transmission.Chapter 7: Data Encryption in TransitSecurity Administrator ActivitiesGranting More System Privileges to the Application Security User.Permitting Users to Execute Packages in Other SchemasApplication Security User Activities.Creating a Table for Error LoggingCreating a Table for Managing Our Error Log TableCreating an Error Log Management ProcedureCreating a Trigger to Maintain the Error Log TableTesting the TriggerUpdating the Application Security PackageCreating an Error Logging ProcedureExecuting Package Specification and Body.Methods for Using and Testing Encryption in TransitMethod to Build the Secret Password KeyTemporary Method to Reset All KeysLoading Updated OracleJavaSecure Class into OracleSecurity Structures for the HR UserExploring Privileges That Enable HR TasksCreating the HR Security Package.Selecting Sensitive Data Columns from EMPLOYEESSelecting All Data as a Single Sensitive StringSelecting Sensitive Data for an Employee IDRevising Procedure to Get Shared PassphraseUpdating Sensitive Data Columns in EMPLOYEESAvoiding SQL Injection.Demonstrating Failure to SQL Inject in Stored ProcedureExecuting the HR Package Specification and BodyInserting an EMPLOYEES Record: Update a SequenceDemonstrations and Tests of Encrypted Data ExchangeSome Preliminary StepsSelecting Encrypted Data from EMPLOYEESSelecting All Columns in Encrypted StringSending Encrypted Data to Oracle Database for Insert/UpdateSelecting a Single Row from EMPLOYEESSelecting EMPLOYEES Data by Last Name: Try SQL InjectionSelecting EMPLOYEES Data by RAW: Try SQL Injection.Testing Encryption Failure with New Client KeysTesting Failure with New Oracle Connection.Some Closing RemarksExecuting the Demonstrations and TestsDemonstrating ScenariosQuerying Employees to See UpdatesPackaging Template to Implement EncryptionTemplate for Oracle Application Security StructuresTemplate for Java Calls to Application SecurityJava Archive for Use by ApplicationsDonât Stop Now.Chapter 8: Single Sign-OnAnother Layer of Authentication?Who Is Logged-In on the Client?Find a Better Source of OS User IdentityUse NTSystem or UnixSystem to Get IdentityDo Cross-Platform-Specific Coding with ReflectionAssure More Stringent OS IdentityAccess Oracle Database as Our Identified UserExamine the Oracle SSO Options for Programmers.Set a Client IdentifierPrepare to Access HR DataUpdate p_check_hrview_access Procedure,Non-Proxy SessionsAssure Client Identifier and OS_USERAudit Activity with Client Identifier SetProxy Sessions.Create Individual Person Users in OracleProxy from Users IDENTIFIED EXTERNALLY.Establish a Proxy SessionUpdate p_check_hrview_access Procedure,Proxy SessionsAudit Proxy SessionsUsing Connection PoolsProxy Connections from an OCI Connection PoolProxy Sessions from a Thin Client Connection PoolUniversal Connection PoolApplication Use of Oracle SSOOur Example Application Oracle SSO.Updates to OracleJavaSecureA Code Template to Give Developers.Chapter 9: Two-Factor Authentication.Get Oracle Database to Send E-Mail.Installing UTL_MAILGranting Access to UTL_MAILTesting Sending E-Mail.Getting Oracle Database to Browse Web PagesDelegating Java Policy to Security Administrator.Permitting Application Security User to Read Web Pages.The Two-Factor Authentication ProcessSecurity Considerations for Two-Factor Distribution AvenuesSecurity Issues with Two-Factor Delivery to E-Mail.Security Issues with Two-Factor Delivery to PagersSecurity Issues with Two-Factor Delivery to Cell PhonesPreferred Two-Factor DeliveryOracle Structures Supporting Two-Factor Authentication.Creating the SMS Carrier Host TableCreating a Table of Employee Mobile NumbersAccessing HR Tables from Application Security Procedures.Create the Two-Factor Codes Cache TableTesting Cache AgingVerifying Current Cached Two-Factor Pass CodeSending Two-Factor Pass CodesUpdating the Secure Application Role,HRVIEW_ROLE ProcedureUpdate OracleJavaSecurity.java for Two-Factor AuthenticationSetting Some Company-Specific AddressesCompile Two-Factor Delivery Route Codes: Binary MathExploring a Method to Distribute the Two-Factor CodesDistributing the Code to SMSDistributing the Code to Pager URLDistributing the Code to E-MailTesting Two-Factor AuthenticationUpdating OracleJavaSecure Java in Oracle.Editing the Test CodePlanning to Pass the Two-Factor Code as an Argument to MainPlanning to Acquire the Secure Application RoleRunning the Tests and Observing the ResultsChapter 10: Application AuthorizationSecure Application Role Procedure for Multiple ApplicationsRebuild Two-Factor Cache Table for Multiple Applications.Update Two-Factor Code Functions to Use Application IDMove Test for SSO to Separate Function.Add an Oracle Package for Use Only by Application SecurityAdd Helper Function to Get APP_ROLEReplace Procedure for hrview_role Access with Dynamic ProcedureRewrite and Refactor Method to Distribute Two-Factor CodeProcedure to get Employee Addresses for Two-Factor Code DeliveryStored Procedure to Update Two-Factor Code CacheChanges to the Method to Distribute Two-Factor Codes.Update to Two-Factor Distribution FormatsApplication Authorization Overview.User for Application AuthorizationA New Profile with Limits and UnlimitedApplication Verification UserThe Application Verification Logon Trigger.Application Verification Logon Procedure.Get Off Function.Function to Find Database User.Proxy Through Application Verification and Other ProxiesAuditing Application VerificationStructures for Application Authorization.More Space for Application SecurityApplication Connection Registry TableA Set of Connection Strings for an Application.An Inner Class to Represent the ApplicationImplement an Inner Class in OracleJavaSecure.Deserialization and Version UIDSet Application ContextFormat the User-Input Two-Factor CodeSave Connection Strings from the Client PerspectiveMethod to Put Connection Strings in the List for an ApplicationClient Call to Store List of Connection Strings on OracleSave Connection Strings from the Server PerspectiveFunction to Call Java to Decrypt the List of Connection StringsMethod to Store List of Connection Strings for Application.Oracle Procedures to Get Entries from the Application RegistryGet an Application Connection String: The Java Client Side.Get an Oracle Connection from the List for an ApplicationGet List of Connection Strings from Oracle Database to Client AppEstablish a Connection for Application Verification ProcessesGet a List of Application Connection Strings: The Server SideTest Application Authentication,Phase 1Get New Structures into OracleReview Steps of TestingSet the Application ContextCall to Get Application ConnectionsSend List of Connection Strings to Oracle Database for StorageGet a Unique Connection for Use in This ApplicationUse or Lose Initial Application Verification ConnectionGet an Application Connection and the Associated Secure Application RoleGet Encrypted Data with the Application ConnectionAdd More Application Connection StringsTesting a Second ApplicationObjects We Have Never SeenPlace Stub Class on Oracle.Get Application Authentication Connection and Role.Test Application Authentication,Phase 2Store the Connection Strings in Oracle.Get an Application Connection with RoleSee the Proxy Connection.Get Encrypted Data from OracleChapter 11: Enhancing SecurityHide the APPVER Connection StringGet It from a Second Source/ServerGet It from a Native Call: JNIGet It from an Encrypted Java ClassGet It from an Encrypted StringGet It from an Encoded StringCreate an Oracle Client WalletInstall the Oracle ClientCreate the WalletUse the Wallet from SQL*PlusUse the Wallet from Java.Administer Wallet SecurityTrace Oracle Client CodeLogging Oracle Thin Client Trace DataEncrypt Data Stored on Oracle Database.DBMS_CRYPTO PackagePasswords and KeysEncryption at Rest Key StoreFunctions to Encrypt/Decrypt Data at RestWrap UtilityChanges to setDecryptConns()/getCryptConns().Manage Connection Strings for Applications.Create an Application Administrative UserCreate an Administrative Role for Application Verification.Delete Connection StringsCopy Connection Strings from Previous Version of ApplicationAdd Other Authentication Credentials.Update Application Security Structures.Authenticate on a Separate Oracle InstanceCreate a New Oracle Database InstanceCreate a New Oracle ServiceWrite the Create Database CommandCreate and Configure the DatabaseCreate a Database Link to the ORCL InstanceRevoke PUBLIC Grant on Sensitive Data Dictionary ViewsCreate the Remaining Structures for Application AuthorizationCreate Java StructuresRemove Application Verification from the ORCL InstanceTest Enhanced SecurityEncode the APPVER User Password for APVER Instance.Edit the Application Passwords to Be UsedRun Main to Test.Run Main to Copy Connection Strings to New VersionTest from a Different Application,TestOracleJavaSecureCompile and Run as Administrative User,OSADMINRun as Non-Administrative User,OSUSERChapter 12: Administration of SecurityA Security Administration InterfaceApplication Login ScreenThe Application Inner ClassCenter MethodLogin Screen ConstructorsThe Wait While Processing Modal Dialog.Background Processing Thread.The Continue ButtonThe Login Screen ClosesSecurity Administration MenuAdd/Modify User Functional ScreenInstantiate the AddUser Screen.Initialize the Data Selection ComponentsSelect an Existing EmployeeCreate a New EmployeeSave Data for the EmployeeUser Administration ScreenCreate the OJSAAdm UserEnable the OJSAAdm User Across a Database LinkSelect an Existing UserSave Updates to the Administrative PrivilegesRevoke User Access to Run ApplicationsApplication Assignment ScreenInitializing the Data Selection Components.Selecting an Available Proxy in the TableSelecting a User from the ListAdding a Proxy to the Userâs ListRemoving a Proxy from the Userâs ListSaving Updates to the Userâs Proxies.Application Registration ScreenThe Application Verification Administrator Role.The Create App Class Button.Tables of Specific Application Administrators and Application to Class RegistrySecurity Table Access AnalysisThe Register Application ButtonApplication Selection Screen.Initializing the List of Applications.Selecting the Manage Selected Application Button.Connection String Editor.Initializing the List of Connection Strings.Selecting an Existing Connection String.Updating a Connection String in the ListSaving the List of Connection Strings to the DatabaseConnection String Copy ScreenLimiting Certain Administrators to Certain ApplicationsVirtual Private DatabaseAdding a Dynamic Where Clause to ProceduresAdding a Dynamic Where Clause to a View.Scripts Execution and Code Compilation.Final Updates to OracleJavaSecureSingle Oracle Instance CodeBootstrap OJSAdmin.Appendix A: List of Methods from OracleJavaSecure ClassAppendix B: Oracle Procedures,Functions and Triggers for Oracle and JavaSecurity