LEADER 00000cam a2201009 a 4500 001 768826063 003 OCoLC 005 20240129213017.0 006 m o d 007 cr cnu---unuuu 008 111220s2011 caua o 001 0 eng d 019 772190950|a780035531|a817061635|a824110313|a961486102 |a1005786141|a1066497059|a1086544550|a1087227425 |a1110894758|a1112521738|a1129341849|a1135586607 |a1152991399|a1162735439|a1192336208|a1204026462 |a1240518511 020 9781430238324|q(electronic bk.) 020 1430238321|q(electronic bk.) 024 7 10.1007/978-1-4302-3832-4|2doi 024 8 10.1007/978-1-4302-3 029 1 AU@|b000048718827 029 1 AU@|b000053276214 029 1 AU@|b000058047255 029 1 AU@|b000060583593 029 1 DEBSZ|b367965135 029 1 DEBSZ|b397270712 029 1 NZ1|b14263646 029 1 AU@|b000067100103 035 (OCoLC)768826063|z(OCoLC)772190950|z(OCoLC)780035531 |z(OCoLC)817061635|z(OCoLC)824110313|z(OCoLC)961486102 |z(OCoLC)1005786141|z(OCoLC)1066497059|z(OCoLC)1086544550 |z(OCoLC)1087227425|z(OCoLC)1110894758|z(OCoLC)1112521738 |z(OCoLC)1129341849|z(OCoLC)1135586607|z(OCoLC)1152991399 |z(OCoLC)1162735439|z(OCoLC)1192336208|z(OCoLC)1204026462 |z(OCoLC)1240518511 037 CL0500000120|bSafari Books Online 040 GW5XE|beng|epn|cGW5XE|dB24X7|dUMI|dE7B|dCOO|dYDXCP|dEBLCP |dDEBSZ|dOCLCO|dOCLCQ|dBEDGE|dOCLCQ|dIDEBK|dVT2|dOCLCF |dOCLCQ|dTXI|dOCLCQ|dAZK|dZ5A|dVGM|dLIV|dUAB|dOCLCQ|dMERUC |dESU|dIOG|dN$T|dOCLCQ|dCEF|dINT|dU3W|dAU@|dOCLCQ|dOCLCO |dWYU|dYOU|dOCLCQ|dOCLCO|dOL$|dOCLCQ|dOCLCO|dLEAUB|dDCT |dERF|dUKAHL|dWURST|dOCLCQ|dLQU|dBRF|dOCLCO|dOCLCQ|dOCLCO |dOCLCQ|dOCLCL 049 INap 082 04 005.8 082 04 005.8|223 099 eBook O’Reilly for Public Libraries 100 1 Coffin, David. 245 10 Expert Oracle and Java security :|bprogramming secure Oracle database applications with Java /|cby David Coffin. |h[O'Reilly electronic resource] 260 [Berkeley, CA] :|bApress,|c©2011. 300 1 online resource (xxvi, 442 pages) :|billustrations 336 text|btxt|2rdacontent 337 computer|bc|2rdamedia 338 online resource|bcr|2rdacarrier 347 data file|2rda 490 1 The expert's voice in Oracle 505 00 |gMachine generated contents note:|gch. 1|tIntroduction -- |tRequirements --|tFor Windows and UNIX/Linux Users -- |tBackground --|tHow to Use This Book --|tOrganization of This Book --|tJava Objects and Oracle Database Structures --|tChapter Review --|gch. 2|tOracle Database Security -- |tFinding a Test Oracle Database --|tWorking from an Existing Oracle Database --|tOracle Users and Schemas -- |tSQL Plus, SQL Developer, JDeveloper, or TOAD -- |tOrganization of the Next Few Sections --|tWorking as the SYS User --|tSystem Privileges --|tRoles --|tSecurity Administrator User --|tSecurity Administrator Role -- |tAudit Trail --|tData Dictionary --|tWorking as the Security Administrator --|tAcquire secadm_role from a SQL Plus Local Connection --|tToggle Between Roles --|tCreate an Application Security User --|tCreate an Application User --|tCreate the HR View Role --|tAudit Changes to Security Administrator Procedures --|tAudit Failed Attempts to Access HR Data --|tWorking as the HR Schema User --|tSensitive Data in the HR Sample Schema --|tPublic View of Employees --|tSensitive View of EMPLOYEES --|tTest Application User Access --|tAudit Trail Logs for the Sensitive View --|tRegarding Synonyms --|tChapter Review - -|gch. 3|tSecure Java Development Concepts --|tJava Development Kit --|tOracle Java Database Connectivity -- |tJAR File Directory Separator --|tJava Packages -- |tDevelopment at Command Prompt --|tEnvironment -- |tBeginning Java Syntax --|tByte Code Compilation and the Java Virtual Machine --|tJava Code and Syntax Concepts -- |tMethods --|tValues --|tMembers --|tObjects --|tClasses and Null --|tGarbage Collection --|tPrimitives --|tStrings --|tStatic Modifier and the mainO Method --|tPublic and Private Modifiers --|tExceptions --|tException Handling Syntax --|tException Handling Approaches --|tJava Virtual Machine Sandbox --|tChapter Review --|gch. 4|tJava Stored Procedures --|tJava Stored Procedure Example --|tAcquiring the Privilege to Load a Java Stored Procedure --|tLoading Java in the Oracle Database --|tHandling Exceptions in a Java Stored Procedure --|tCalling Oracle Database from Java --|tMethod Syntax in Java Stored Procedures -- |tCalling Java from Oracle Database --|tInstalling and Testing the Example Code --|tReview The Roster of Participants --|tCleaning Up --|tOracle Java Virtual Machine --|tOracle JVM Based on Java SE1.5 --|tSeparate JVM for Each Oracle Session --|tOracle JVM Sandbox -- |tAuto-Commit Disabled in the Oracle JVM --|tChapter Review --|gch. 5|tPublic Key Encryption --|tGenerate Keys on the Client --|tRSA Public Key Cryptography --|tJava Code to Generate and Use RSA Keys --|tCreating a Set of Keys --|tHand the Public Key Across the Network -- |tSerialize Objects --|tBuilding the Public Key from Artifacts --|tGenerating the RSA Cipher --|tUsing the RSA Cipher --|tGetting RSA Public Key Artifacts --|tUsing Static Methods and Private Constructor --|tInstantiating a Connection Member from a Static Initializer --|tUsing One Code for Both Client and Server --|tTesting on the Client --|tWriting the mainQ Method --|tRunning the Code --|tKey Exchange --|tCreating a Function to Encrypt Data with Public Key --|tCreating a Procedure to get SYSDATE in Encrypted Form --|tLoading OracleJavaSecure Java into Oracle Database --|tEncrypting Data with Public Key -- |tUse Stacked Calls --|tDecrypting Data with Private Key - -|tTesting on Client and Server --|tUsing IN and OUT Parameters in an OracleCallableStatement --|tHandle Errors Reported by Oracle Database --|tDecrypting at the Client - -|tRunning Our Code Again --|tObserving the Results -- |tRemoving the Demonstration Oracle Structures --|tChapter Review --|gch. 6|tSecret Password Encryption --|tApproach --|tJava Code for Secret Password Encryption --|tSharing the Artifacts of a Secret Password Key --|tInitializing Static Class Members --|tEvaluating the Java 1.5 Password- Based Encryption Bug --|tCoding an Automatic Upgrade: Negotiated Algorithm --|tGenerating the Password Key -- |tEncrypting with the Public RSA Key --|tReturning Secret Password Key Artifacts to the Client --|tEncrypting Data with Our Secret Password --|tOracle Structures for Secret Password Encryption --|tPackage to Get Secret Password Artifacts and Encrypted Data --|tApplication Security Package Specification --|tApplication Security Package Body: Functions --|tApplication Security Package Body: Procedures --|tJava Methods for Secret Password Decryption --|tDecrypting Data Using the Secret Password Key -- |tDecrypting the DES Passphrase using RSA Private Key -- |tAncillary Methods for Array Conversion --|tMethod Used to Show Actual Algorithm --|tTesting DES Encryption on the Client Only --|tRunning the Code --|tObserving the Results --|tCoding to Test Client/Server Secret Password Encryption --|tSetting the Code to Test Server as well as Client --|tConsider the Server Portion of the mainO Method --|tGetting the DES Secret Password from Oracle --|tSeeing the Negotiated Algorithm for Password-Based Encryption -- |tCalling Oracle Database to get Encrypted Data -- |tTesting Oracle Database Encrypt and Local Decrypt Data - -|tSending Encrypted Data to Oracle --|tTesting Our Secure Client/Server Data Transmission --|tChapter Review --|gch. 7|tData Encryption in Transit --|tSecurity Administrator Activities --|tGranting More System Privileges to the Application Security User --|tPermitting Users to Execute Packages in Other Schemas --|tApplication Security User Activities --|tCreating a Table for Error Logging -- |tCreating a Table for Managing Our Error Log Table -- |tCreating an Error Log Management Procedure --|tCreating a Trigger to Maintain the Error Log Table --|tTesting the Trigger --|tUpdating the Application Security Package -- |tCreating an Error Logging Procedure --|tExecuting Package Specification and Body --|tMethods for Using and Testing Encryption in Transit --|tMethod to Build the Secret Password Key --|tTemporary Method to Reset All Keys --|tLoading Updated OracleJavaSecure Class into Oracle -- |tSecurity Structures for the HR User --|tExploring Privileges That Enable HR Tasks --|tCreating the HR Security Package --|tSelecting Sensitive Data Columns from EMPLOYEES --|tSelecting All Data as a Single Sensitive String --|tSelecting Sensitive Data for an Employee ID -- |tRevising Procedure to Get Shared Passphrase --|tUpdating Sensitive Data Columns in EMPLOYEES --|tAvoiding SQL Injection --|tDemonstrating Failure to SQL Inject in Stored Procedure --|tExecuting the HR Package Specification and Body --|tInserting an EMPLOYEES Record: Update a Sequence --|tDemonstrations and Tests of Encrypted Data Exchange --|tSome Preliminary Steps -- |tSelecting Encrypted Data from EMPLOYEES --|tSelecting All Columns in Encrypted String --|tSending Encrypted Data to Oracle Database for Insert/Update --|tSelecting a Single Row from EMPLOYEES --|tSelecting EMPLOYEES Data by Last Name: Try SQL Injection --|tSelecting EMPLOYEES Data by RAW: Try SQL Injection --|tTesting Encryption Failure with New Client Keys --|tTesting Failure with New Oracle Connection --|tSome Closing Remarks --|tExecuting the Demonstrations and Tests --|tObserving the Results -- |tDemonstrating Scenarios --|tQuerying Employees to See Updates --|tPackaging Template to Implement Encryption -- |tTemplate for Oracle Application Security Structures -- |tTemplate for Java Calls to Application Security --|tJava Archive for Use by Applications --|tDon't Stop Now -- |tChapter Review --|gch. 505 00 |t8|tSingle Sign-On --|tAnother Layer of Authentication? - -|tWho Is Logged-ln on the Client? --|tFind a Better Source of OS User Identity --|tUse NTSystem or UnixSystem to Get Identity --|tDo Cross-Platform-Specific Coding with Reflection --|tAssure More Stringent OS Identity -- |tAccess Oracle Database as Our Identified User -- |tExamine the Oracle SSO Options for Programmers --|tSet a Client Identifier --|tPrepare to Access HR Data --|tUpdate p_check_hrview_access Procedure, Non-Proxy Sessions -- |tAssure Client Identifier and OSJJSER --|tAudit Activity with Client Identifier Set --|tProxy Sessions --|tCreate Individual Person Users in Oracle --|tProxy from Users IDENTIFIED EXTERNALLY --|tEstablish a Proxy Session -- |tUpdate p_check_hrview_access Procedure, Proxy Sessions - -|tAudit Proxy Sessions --|tUsing Connection Pools -- |tProxy Connections from an OCI Connection Pool --|tProxy Sessions from a Thin Client Connection Pool --|tUniversal Connection Pool --|tApplication Use of Oracle SSO --|tOur Example Application Oracle SSO --|tUpdates to OracleJavaSecure --|tCode Template to Give Developers -- |tChapter Review --|gch. 9|tTwo-Factor Authentication -- |tGet Oracle Database to Send E-Mail --|tInstalling UTL_MAIL --|tGranting Access to UTL_MAIL --|tTesting Sending E-Mail --|tGetting Oracle Database to Browse Web Pages --|tDelegating Java Policy to Security Administrator --|tPermitting Application Security User to Read Web Pages --|tTwo-Factor Authentication Process --|tSecurity Considerations for Two-Factor Distribution Avenues -- |tSecurity Issues with Two-Factor Delivery to E-Mail -- |tSecurity Issues with Two-Factor Delivery to Pagers -- |tSecurity Issues with Two-Factor Delivery to Cell Phones --|tPreferred Two-Factor Delivery --|tOracle Structures Supporting Two-Factor Authentication --|tCreating the SMS Carrier Host Table --|tCreating a Table of Employee Mobile Numbers --|tAccessing HR Tables from Application Security Procedures --|tCreate the Two-Factor Codes Cache Table -- |tTesting Cache Aging --|tVerifying Current Cached Two- Factor Pass Code --|tSending Two-Factor Pass Codes -- |tUpdating the Secure Application Role, HRVIEW_ROLE Procedure --|tUpdate OracleJavaSecurity.java for Two- Factor Authentication. 505 00 |gNote continued:|tSetting Some Company-Specific Addresses --|tCompile Two-Factor Delivery Route Codes: Binary Math - -|tExploring a Method to Distribute the Two-Factor Codes - -|tDistributing the Code to SMS --|tDistributing the Code to Pager URL --|tDistributing the Code to E-Mail -- |tTesting Two-Factor Authentication --|tUpdating OracleJavaSecure Java in Oracle --|tEditing the Test Code --|tPlanning to Pass the Two-Factor Code as an Argument to Main --|tPlanning to Acquire the Secure Application Role - -|tRunning the Tests and Observing the Results --|tChapter Review --|gch. 10|tApplication Authorization --|tSecure Application Role Procedure for Multiple Applications -- |tRebuild Two-Factor Cache Table for Multiple Applications --|tUpdate Two-Factor Code Functions to Use Application ID --|tMove Test for SSO to Separate Function --|tAdd an Oracle Package for Use Only by Application Security -- |tAdd Helper Function to Get APP_R0LE --|tReplace Procedure for hrview_role Access with Dynamic Procedure -- |tRewrite and Refactor Method to Distribute Two-Factor Code --|tProcedure to get Employee Addresses for Two- Factor Code Delivery --|tStored Procedure to Update Two- Factor Code Cache --|tChanges to the Method to Distribute Two-Factor Codes --|tUpdate to Two-Factor Distribution Formats --|tApplication Authorization Overview --|tUser for Application Authorization --|tNew Profile with Limits and Unlimited --|tApplication Verification User -- |tApplication Verification Logon Trigger --|tApplication Verification Logon Procedure --|tGet Off Function -- |tFunction to Find Database User --|tProxy Through Application Verification and Other Proxies --|tAuditing Application Verification --|tStructures for Application Authorization --|tMore Space for Application Security -- |tApplication Connection Registry Table --|tSet of Connection Strings for an Application --|tInner Class to Represent the Application --|tImplement an Inner Class in OracleJavaSecure --|tDeserialization and Version UID -- |tSet Application Context --|tFormat the User-Input Two- Factor Code --|tSave Connection Strings from the Client Perspective --|tMethod to Put Connection Strings in the List for an Application --|tClient Call to Store List of Connection Strings on Oracle --|tSave Connection Strings from the Server Perspective --|tFunction to Call Java to Decrypt the List of Connection Strings --|tMethod to Store List of Connection Strings for Application --|tOracle Procedures to Get Entries from the Application Registry -- |tGet an Application Connection String: The Java Client Side --|tGet an Oracle Connection from the List for an Application --|tGet List of Connection Strings from Oracle Database to Client App --|tEstablish a Connection for Application Verification Processes --|tGet a List of Application Connection Strings: The Server Side --|tTest Application Authentication, Phase 1 --|tGet New Structures into Oracle --|tReview Steps of Testing --|tSet the Application Context --|tCall to Get Application Connections --|tSend List of Connection Strings to Oracle Database for Storage --|tGet a Unique Connection for Use in This Application --|tUse or Lose Initial Application Verification Connection --|tGet an Application Connection and the Associated Secure Application Role --|tGet Encrypted Data with the Application Connection --|tAdd More Application Connection Strings --|tTesting a Second Application --|tObjects We Have Never Seen --|tPlace Stub Class on Oracle --|tGet Application Authentication Connection and Role --|tTest Application Authentication, Phase 2 --|tSet the Application Context --|tStore the Connection Strings in Oracle --|tGet an Application Connection with Role --|tSee the Proxy Connection --|tGet Encrypted Data from Oracle --|tChapter Review --|gch. 11 |tEnhancing Security --|tHide the APPVER Connection String --|tGet It from a Second Source/Server --|tGet It from a Native Call: JNI --|tGet It from an Encrypted Java Class - -|tGet It from an Encrypted String --|tGet It from an Encoded String --|tCreate an Oracle Client Wallet -- |tInstall the Oracle Client --|tCreate the Wallet --|tUse the Wallet from SQL Plus --|tUse the Wallet from Java -- |tAdminister Wallet Security --|tTrace Oracle Client Code --|tLogging Oracle Thin Client Trace Data --|tEncrypt Data Stored on Oracle Database --|tDBMS_CRYPTO Package -- |tPasswords and Keys --|tEncryption at Rest Key Store -- |tFunctions to Encrypt/Decrypt Data at Rest --|tWrap Utility --|tChanges to setOecryptConnsO/getCryptConnsO -- |tManage Connection Strings for Applications --|tCreate an Application Administrative User --|tCreate an Administrative Role for Application Verification -- |tDelete Connection Strings --|tCopy Connection Strings from Previous Version of Application --|tAdd Other Authentication Credentials --|tUpdate Application Security Structures --|tAuthenticate on a Separate Oracle Instance --|tCreate a New Oracle Database Instance --|tCreate a New Oracle Service --|tWrite the Create Database Command -- |tCreate and Configure the Database --|tCreate a Database Link to the ORCL Instance --|tRevoke PUBLIC Grant on Sensitive Data Dictionary Views --|tCreate the Remaining Structures for Application Authorization --|tCreate Java Structures --|tRemove Application Verification from the ORCL Instance --|tTest Enhanced Security --|tEncode the APPVER User Password for APVER Instance --|tEdit the Application Passwords to Be Used --|tRun Main to Test -- |tRun Main to Copy Connection Strings to New Version -- |tTest from a Different Application, TestOracleJavaSecure --|tCompile and Run as Administrative User, OSADMIN -- |tRun as Non-Administrative User, OSUSER --|tChapter Review --|gch. 12|tAdministration of Security --|tSecurity Administration Interface --|tApplication Login Screen -- |tApplication Inner Class --|tCenter Method --|tLogin Screen Constructors --|t"Wait While Processing" Modal Dialog --|tBackground Processing Thread --|tContinue Button --|tLogin Screen Closes --|tSecurity Administration Menu --|tAdd/Modify User Functional Screen --|tInstantiate the AddUser Screen --|tInitialize the Data Selection Components --|tSelect an Existing Employee --|tCreate a New Employee --|tSave Data for the Employee --|tUser Administration Screen --|tCreate the OJSAAdm User -- |tEnable the OJSAAdm User Across a Database Link -- |tSelect an Existing User --|tSave Updates to the Administrative Privileges --|tRevoke User Access to Run Applications --|tApplication Assignment Screen -- |tInitializing the Data Selection Components --|tSelecting an Available Proxy in the Table --|tSelecting a User from the List --|tAdding a Proxy to the User's List -- |tRemoving a Proxy from the User's List --|tSaving Updates to the User's Proxies --|tApplication Registration Screen --|tApplication Verification Administrator Role --|tCreate App Class Button --|tTables of Specific Application Administrators and Application to Class Registry -- |tSecurity Table Access Analysis --|tRegister Application Button --|tApplication Selection Screen --|tInitializing the List of Applications --|tSelecting the Manage Selected Application Button --|tConnection String Editor -- |tInitializing the List of Connection Strings -- |tSelecting an Existing Connection String --|tUpdating a Connection String in the List --|tSaving the List of Connection Strings to the Database --|tConnection String Copy Screen --|tLimiting Certain Administrators to Certain Applications --|tVirtual Private Database --|tAdding a Dynamic Where Clause to Procedures --|tAdding a Dynamic Where Clause to a View --|tScripts Execution and Code Compilation --|tFinal Updates to OracleJavaSecure -- |tSingle Oracle Instance Code --|tBootstrap OJSAdmin -- |tChapter Review. 520 Expert Oracle and Java Security: Programming Secure Oracle Database Applications with Java provides resources that every Java and Oracle database application programmer needs to ensure that they have guarded the security of the data and identities entrusted to them. You'll learn to consider potential vulnerabilities, and to apply best practices in secure Java and PL/SQL coding. Author David Coffin shows how to develop code to encrypt data in transit and at rest, to accomplish single sign-on with Oracle proxy connections, to generate and distribute two- factor authentication tokens from the Oracle server using pagers, cell phones (SMS), and e-mail, and to securely store and distribute Oracle application passwords. Early chapters lay the foundation for effective security in an Oracle/Java environment. Each of the later chapters brings example code to a point where it may be applied as-is to address application security issues. Templates for applications are also provided to help you bring colleagues up to the same secure application standards. If you are less familiar with either Java or Oracle PL/SQL, you will not be left behind; all the concepts in this book are introduced as to a novice and addressed as to an expert. Helps you protect against data loss, identity theft, SQL injection, and address spoofing Provides techniques for encryption on network and disk, code obfuscation and wrap, database hardening, single sign-on and two-factor Provides what database administrators need to know about secure password distribution, Java secure programming, Java stored procedures, secure application roles in Oracle, logon triggers, database design, various connection pooling schemes, and much more. 588 0 Online resource; title from PDF title page (EBSCO, viewed November 29, 2017). 590 O'Reilly|bO'Reilly Online Learning: Academic/Public Library Edition 630 00 Oracle (Computer file) 630 07 Oracle (Computer file)|2blmlsh 630 07 Oracle (Computer file)|2fast 650 0 Database security. 650 0 Java (Computer program language) 650 0 Data encryption (Computer science) 650 0 Data protection. 650 6 Bases de données|xSécurité|xMesures. 650 6 Java (Langage de programmation) 650 6 Chiffrement (Informatique) 650 6 Protection de l'information (Informatique) 650 7 Informatique.|2eclas 650 7 Data encryption (Computer science)|2fast 650 7 Data protection|2fast 650 7 Database security|2fast 650 7 Java (Computer program language)|2fast 653 00 computerwetenschappen 653 00 computer sciences 653 00 programmeren 653 00 programming 653 00 gegevensbeheer 653 00 data management 653 10 Information and Communication Technology (General) 653 10 Informatie- en communicatietechnologie (algemeen) 773 0 |tSpringer eBooks 776 08 |iPrinted edition:|z9781430238317 830 0 Expert's voice in Oracle. 856 40 |uhttps://ezproxy.naperville-lib.org/login?url=https:// learning.oreilly.com/library/view/~/9781430238317/?ar |zAvailable on O'Reilly for Public Libraries 938 Askews and Holts Library Services|bASKH|nAH29395528 938 Books 24x7|bB247|nbks00043721 938 EBL - Ebook Library|bEBLB|nEBL883795 938 ebrary|bEBRY|nebr10520912 938 EBSCOhost|bEBSC|n1173488 938 ProQuest MyiLibrary Digital eBook Collection|bIDEB|n347715 938 YBP Library Services|bYANK|n7342935 994 92|bJFN