Library Hours
Monday to Friday: 9 a.m. to 9 p.m.
Saturday: 9 a.m. to 5 p.m.
Sunday: 1 p.m. to 9 p.m.
Naper Blvd. 1 p.m. to 5 p.m.
LEADER 00000cam a2201009 a 4500
001 768826063
003 OCoLC
005 20240129213017.0
006 m o d
007 cr cnu---unuuu
008 111220s2011 caua o 001 0 eng d
019 772190950|a780035531|a817061635|a824110313|a961486102
|a1005786141|a1066497059|a1086544550|a1087227425
|a1110894758|a1112521738|a1129341849|a1135586607
|a1152991399|a1162735439|a1192336208|a1204026462
|a1240518511
020 9781430238324|q(electronic bk.)
020 1430238321|q(electronic bk.)
024 7 10.1007/978-1-4302-3832-4|2doi
024 8 10.1007/978-1-4302-3
029 1 AU@|b000048718827
029 1 AU@|b000053276214
029 1 AU@|b000058047255
029 1 AU@|b000060583593
029 1 DEBSZ|b367965135
029 1 DEBSZ|b397270712
029 1 NZ1|b14263646
029 1 AU@|b000067100103
035 (OCoLC)768826063|z(OCoLC)772190950|z(OCoLC)780035531
|z(OCoLC)817061635|z(OCoLC)824110313|z(OCoLC)961486102
|z(OCoLC)1005786141|z(OCoLC)1066497059|z(OCoLC)1086544550
|z(OCoLC)1087227425|z(OCoLC)1110894758|z(OCoLC)1112521738
|z(OCoLC)1129341849|z(OCoLC)1135586607|z(OCoLC)1152991399
|z(OCoLC)1162735439|z(OCoLC)1192336208|z(OCoLC)1204026462
|z(OCoLC)1240518511
037 CL0500000120|bSafari Books Online
040 GW5XE|beng|epn|cGW5XE|dB24X7|dUMI|dE7B|dCOO|dYDXCP|dEBLCP
|dDEBSZ|dOCLCO|dOCLCQ|dBEDGE|dOCLCQ|dIDEBK|dVT2|dOCLCF
|dOCLCQ|dTXI|dOCLCQ|dAZK|dZ5A|dVGM|dLIV|dUAB|dOCLCQ|dMERUC
|dESU|dIOG|dN$T|dOCLCQ|dCEF|dINT|dU3W|dAU@|dOCLCQ|dOCLCO
|dWYU|dYOU|dOCLCQ|dOCLCO|dOL$|dOCLCQ|dOCLCO|dLEAUB|dDCT
|dERF|dUKAHL|dWURST|dOCLCQ|dLQU|dBRF|dOCLCO|dOCLCQ|dOCLCO
|dOCLCQ|dOCLCL
049 INap
082 04 005.8
082 04 005.8|223
099 eBook O’Reilly for Public Libraries
100 1 Coffin, David.
245 10 Expert Oracle and Java security :|bprogramming secure
Oracle database applications with Java /|cby David Coffin.
|h[O'Reilly electronic resource]
260 [Berkeley, CA] :|bApress,|c©2011.
300 1 online resource (xxvi, 442 pages) :|billustrations
336 text|btxt|2rdacontent
337 computer|bc|2rdamedia
338 online resource|bcr|2rdacarrier
347 data file|2rda
490 1 The expert's voice in Oracle
505 00 |gMachine generated contents note:|gch. 1|tIntroduction --
|tRequirements --|tFor Windows and UNIX/Linux Users --
|tBackground --|tHow to Use This Book --|tOrganization of
This Book --|tJava Objects and Oracle Database Structures
--|tChapter Review --|gch. 2|tOracle Database Security --
|tFinding a Test Oracle Database --|tWorking from an
Existing Oracle Database --|tOracle Users and Schemas --
|tSQL Plus, SQL Developer, JDeveloper, or TOAD --
|tOrganization of the Next Few Sections --|tWorking as the
SYS User --|tSystem Privileges --|tRoles --|tSecurity
Administrator User --|tSecurity Administrator Role --
|tAudit Trail --|tData Dictionary --|tWorking as the
Security Administrator --|tAcquire secadm_role from a SQL
Plus Local Connection --|tToggle Between Roles --|tCreate
an Application Security User --|tCreate an Application
User --|tCreate the HR View Role --|tAudit Changes to
Security Administrator Procedures --|tAudit Failed
Attempts to Access HR Data --|tWorking as the HR Schema
User --|tSensitive Data in the HR Sample Schema --|tPublic
View of Employees --|tSensitive View of EMPLOYEES --|tTest
Application User Access --|tAudit Trail Logs for the
Sensitive View --|tRegarding Synonyms --|tChapter Review -
-|gch. 3|tSecure Java Development Concepts --|tJava
Development Kit --|tOracle Java Database Connectivity --
|tJAR File Directory Separator --|tJava Packages --
|tDevelopment at Command Prompt --|tEnvironment --
|tBeginning Java Syntax --|tByte Code Compilation and the
Java Virtual Machine --|tJava Code and Syntax Concepts --
|tMethods --|tValues --|tMembers --|tObjects --|tClasses
and Null --|tGarbage Collection --|tPrimitives --|tStrings
--|tStatic Modifier and the mainO Method --|tPublic and
Private Modifiers --|tExceptions --|tException Handling
Syntax --|tException Handling Approaches --|tJava Virtual
Machine Sandbox --|tChapter Review --|gch. 4|tJava Stored
Procedures --|tJava Stored Procedure Example --|tAcquiring
the Privilege to Load a Java Stored Procedure --|tLoading
Java in the Oracle Database --|tHandling Exceptions in a
Java Stored Procedure --|tCalling Oracle Database from
Java --|tMethod Syntax in Java Stored Procedures --
|tCalling Java from Oracle Database --|tInstalling and
Testing the Example Code --|tReview The Roster of
Participants --|tCleaning Up --|tOracle Java Virtual
Machine --|tOracle JVM Based on Java SE1.5 --|tSeparate
JVM for Each Oracle Session --|tOracle JVM Sandbox --
|tAuto-Commit Disabled in the Oracle JVM --|tChapter
Review --|gch. 5|tPublic Key Encryption --|tGenerate Keys
on the Client --|tRSA Public Key Cryptography --|tJava
Code to Generate and Use RSA Keys --|tCreating a Set of
Keys --|tHand the Public Key Across the Network --
|tSerialize Objects --|tBuilding the Public Key from
Artifacts --|tGenerating the RSA Cipher --|tUsing the RSA
Cipher --|tGetting RSA Public Key Artifacts --|tUsing
Static Methods and Private Constructor --|tInstantiating a
Connection Member from a Static Initializer --|tUsing One
Code for Both Client and Server --|tTesting on the Client
--|tWriting the mainQ Method --|tRunning the Code --|tKey
Exchange --|tCreating a Function to Encrypt Data with
Public Key --|tCreating a Procedure to get SYSDATE in
Encrypted Form --|tLoading OracleJavaSecure Java into
Oracle Database --|tEncrypting Data with Public Key --
|tUse Stacked Calls --|tDecrypting Data with Private Key -
-|tTesting on Client and Server --|tUsing IN and OUT
Parameters in an OracleCallableStatement --|tHandle Errors
Reported by Oracle Database --|tDecrypting at the Client -
-|tRunning Our Code Again --|tObserving the Results --
|tRemoving the Demonstration Oracle Structures --|tChapter
Review --|gch. 6|tSecret Password Encryption --|tApproach
--|tJava Code for Secret Password Encryption --|tSharing
the Artifacts of a Secret Password Key --|tInitializing
Static Class Members --|tEvaluating the Java 1.5 Password-
Based Encryption Bug --|tCoding an Automatic Upgrade:
Negotiated Algorithm --|tGenerating the Password Key --
|tEncrypting with the Public RSA Key --|tReturning Secret
Password Key Artifacts to the Client --|tEncrypting Data
with Our Secret Password --|tOracle Structures for Secret
Password Encryption --|tPackage to Get Secret Password
Artifacts and Encrypted Data --|tApplication Security
Package Specification --|tApplication Security Package
Body: Functions --|tApplication Security Package Body:
Procedures --|tJava Methods for Secret Password Decryption
--|tDecrypting Data Using the Secret Password Key --
|tDecrypting the DES Passphrase using RSA Private Key --
|tAncillary Methods for Array Conversion --|tMethod Used
to Show Actual Algorithm --|tTesting DES Encryption on the
Client Only --|tRunning the Code --|tObserving the Results
--|tCoding to Test Client/Server Secret Password
Encryption --|tSetting the Code to Test Server as well as
Client --|tConsider the Server Portion of the mainO Method
--|tGetting the DES Secret Password from Oracle --|tSeeing
the Negotiated Algorithm for Password-Based Encryption --
|tCalling Oracle Database to get Encrypted Data --
|tTesting Oracle Database Encrypt and Local Decrypt Data -
-|tSending Encrypted Data to Oracle --|tTesting Our Secure
Client/Server Data Transmission --|tChapter Review --|gch.
7|tData Encryption in Transit --|tSecurity Administrator
Activities --|tGranting More System Privileges to the
Application Security User --|tPermitting Users to Execute
Packages in Other Schemas --|tApplication Security User
Activities --|tCreating a Table for Error Logging --
|tCreating a Table for Managing Our Error Log Table --
|tCreating an Error Log Management Procedure --|tCreating
a Trigger to Maintain the Error Log Table --|tTesting the
Trigger --|tUpdating the Application Security Package --
|tCreating an Error Logging Procedure --|tExecuting
Package Specification and Body --|tMethods for Using and
Testing Encryption in Transit --|tMethod to Build the
Secret Password Key --|tTemporary Method to Reset All Keys
--|tLoading Updated OracleJavaSecure Class into Oracle --
|tSecurity Structures for the HR User --|tExploring
Privileges That Enable HR Tasks --|tCreating the HR
Security Package --|tSelecting Sensitive Data Columns from
EMPLOYEES --|tSelecting All Data as a Single Sensitive
String --|tSelecting Sensitive Data for an Employee ID --
|tRevising Procedure to Get Shared Passphrase --|tUpdating
Sensitive Data Columns in EMPLOYEES --|tAvoiding SQL
Injection --|tDemonstrating Failure to SQL Inject in
Stored Procedure --|tExecuting the HR Package
Specification and Body --|tInserting an EMPLOYEES Record:
Update a Sequence --|tDemonstrations and Tests of
Encrypted Data Exchange --|tSome Preliminary Steps --
|tSelecting Encrypted Data from EMPLOYEES --|tSelecting
All Columns in Encrypted String --|tSending Encrypted Data
to Oracle Database for Insert/Update --|tSelecting a
Single Row from EMPLOYEES --|tSelecting EMPLOYEES Data by
Last Name: Try SQL Injection --|tSelecting EMPLOYEES Data
by RAW: Try SQL Injection --|tTesting Encryption Failure
with New Client Keys --|tTesting Failure with New Oracle
Connection --|tSome Closing Remarks --|tExecuting the
Demonstrations and Tests --|tObserving the Results --
|tDemonstrating Scenarios --|tQuerying Employees to See
Updates --|tPackaging Template to Implement Encryption --
|tTemplate for Oracle Application Security Structures --
|tTemplate for Java Calls to Application Security --|tJava
Archive for Use by Applications --|tDon't Stop Now --
|tChapter Review --|gch.
505 00 |t8|tSingle Sign-On --|tAnother Layer of Authentication? -
-|tWho Is Logged-ln on the Client? --|tFind a Better
Source of OS User Identity --|tUse NTSystem or UnixSystem
to Get Identity --|tDo Cross-Platform-Specific Coding with
Reflection --|tAssure More Stringent OS Identity --
|tAccess Oracle Database as Our Identified User --
|tExamine the Oracle SSO Options for Programmers --|tSet a
Client Identifier --|tPrepare to Access HR Data --|tUpdate
p_check_hrview_access Procedure, Non-Proxy Sessions --
|tAssure Client Identifier and OSJJSER --|tAudit Activity
with Client Identifier Set --|tProxy Sessions --|tCreate
Individual Person Users in Oracle --|tProxy from Users
IDENTIFIED EXTERNALLY --|tEstablish a Proxy Session --
|tUpdate p_check_hrview_access Procedure, Proxy Sessions -
-|tAudit Proxy Sessions --|tUsing Connection Pools --
|tProxy Connections from an OCI Connection Pool --|tProxy
Sessions from a Thin Client Connection Pool --|tUniversal
Connection Pool --|tApplication Use of Oracle SSO --|tOur
Example Application Oracle SSO --|tUpdates to
OracleJavaSecure --|tCode Template to Give Developers --
|tChapter Review --|gch. 9|tTwo-Factor Authentication --
|tGet Oracle Database to Send E-Mail --|tInstalling
UTL_MAIL --|tGranting Access to UTL_MAIL --|tTesting
Sending E-Mail --|tGetting Oracle Database to Browse Web
Pages --|tDelegating Java Policy to Security Administrator
--|tPermitting Application Security User to Read Web Pages
--|tTwo-Factor Authentication Process --|tSecurity
Considerations for Two-Factor Distribution Avenues --
|tSecurity Issues with Two-Factor Delivery to E-Mail --
|tSecurity Issues with Two-Factor Delivery to Pagers --
|tSecurity Issues with Two-Factor Delivery to Cell Phones
--|tPreferred Two-Factor Delivery --|tOracle Structures
Supporting Two-Factor Authentication --|tCreating the SMS
Carrier Host Table --|tCreating a Table of Employee Mobile
Numbers --|tAccessing HR Tables from Application Security
Procedures --|tCreate the Two-Factor Codes Cache Table --
|tTesting Cache Aging --|tVerifying Current Cached Two-
Factor Pass Code --|tSending Two-Factor Pass Codes --
|tUpdating the Secure Application Role, HRVIEW_ROLE
Procedure --|tUpdate OracleJavaSecurity.java for Two-
Factor Authentication.
505 00 |gNote continued:|tSetting Some Company-Specific Addresses
--|tCompile Two-Factor Delivery Route Codes: Binary Math -
-|tExploring a Method to Distribute the Two-Factor Codes -
-|tDistributing the Code to SMS --|tDistributing the Code
to Pager URL --|tDistributing the Code to E-Mail --
|tTesting Two-Factor Authentication --|tUpdating
OracleJavaSecure Java in Oracle --|tEditing the Test Code
--|tPlanning to Pass the Two-Factor Code as an Argument to
Main --|tPlanning to Acquire the Secure Application Role -
-|tRunning the Tests and Observing the Results --|tChapter
Review --|gch. 10|tApplication Authorization --|tSecure
Application Role Procedure for Multiple Applications --
|tRebuild Two-Factor Cache Table for Multiple Applications
--|tUpdate Two-Factor Code Functions to Use Application ID
--|tMove Test for SSO to Separate Function --|tAdd an
Oracle Package for Use Only by Application Security --
|tAdd Helper Function to Get APP_R0LE --|tReplace
Procedure for hrview_role Access with Dynamic Procedure --
|tRewrite and Refactor Method to Distribute Two-Factor
Code --|tProcedure to get Employee Addresses for Two-
Factor Code Delivery --|tStored Procedure to Update Two-
Factor Code Cache --|tChanges to the Method to Distribute
Two-Factor Codes --|tUpdate to Two-Factor Distribution
Formats --|tApplication Authorization Overview --|tUser
for Application Authorization --|tNew Profile with Limits
and Unlimited --|tApplication Verification User --
|tApplication Verification Logon Trigger --|tApplication
Verification Logon Procedure --|tGet Off Function --
|tFunction to Find Database User --|tProxy Through
Application Verification and Other Proxies --|tAuditing
Application Verification --|tStructures for Application
Authorization --|tMore Space for Application Security --
|tApplication Connection Registry Table --|tSet of
Connection Strings for an Application --|tInner Class to
Represent the Application --|tImplement an Inner Class in
OracleJavaSecure --|tDeserialization and Version UID --
|tSet Application Context --|tFormat the User-Input Two-
Factor Code --|tSave Connection Strings from the Client
Perspective --|tMethod to Put Connection Strings in the
List for an Application --|tClient Call to Store List of
Connection Strings on Oracle --|tSave Connection Strings
from the Server Perspective --|tFunction to Call Java to
Decrypt the List of Connection Strings --|tMethod to Store
List of Connection Strings for Application --|tOracle
Procedures to Get Entries from the Application Registry --
|tGet an Application Connection String: The Java Client
Side --|tGet an Oracle Connection from the List for an
Application --|tGet List of Connection Strings from Oracle
Database to Client App --|tEstablish a Connection for
Application Verification Processes --|tGet a List of
Application Connection Strings: The Server Side --|tTest
Application Authentication, Phase 1 --|tGet New Structures
into Oracle --|tReview Steps of Testing --|tSet the
Application Context --|tCall to Get Application
Connections --|tSend List of Connection Strings to Oracle
Database for Storage --|tGet a Unique Connection for Use
in This Application --|tUse or Lose Initial Application
Verification Connection --|tGet an Application Connection
and the Associated Secure Application Role --|tGet
Encrypted Data with the Application Connection --|tAdd
More Application Connection Strings --|tTesting a Second
Application --|tObjects We Have Never Seen --|tPlace Stub
Class on Oracle --|tGet Application Authentication
Connection and Role --|tTest Application Authentication,
Phase 2 --|tSet the Application Context --|tStore the
Connection Strings in Oracle --|tGet an Application
Connection with Role --|tSee the Proxy Connection --|tGet
Encrypted Data from Oracle --|tChapter Review --|gch. 11
|tEnhancing Security --|tHide the APPVER Connection String
--|tGet It from a Second Source/Server --|tGet It from a
Native Call: JNI --|tGet It from an Encrypted Java Class -
-|tGet It from an Encrypted String --|tGet It from an
Encoded String --|tCreate an Oracle Client Wallet --
|tInstall the Oracle Client --|tCreate the Wallet --|tUse
the Wallet from SQL Plus --|tUse the Wallet from Java --
|tAdminister Wallet Security --|tTrace Oracle Client Code
--|tLogging Oracle Thin Client Trace Data --|tEncrypt Data
Stored on Oracle Database --|tDBMS_CRYPTO Package --
|tPasswords and Keys --|tEncryption at Rest Key Store --
|tFunctions to Encrypt/Decrypt Data at Rest --|tWrap
Utility --|tChanges to setOecryptConnsO/getCryptConnsO --
|tManage Connection Strings for Applications --|tCreate an
Application Administrative User --|tCreate an
Administrative Role for Application Verification --
|tDelete Connection Strings --|tCopy Connection Strings
from Previous Version of Application --|tAdd Other
Authentication Credentials --|tUpdate Application Security
Structures --|tAuthenticate on a Separate Oracle Instance
--|tCreate a New Oracle Database Instance --|tCreate a New
Oracle Service --|tWrite the Create Database Command --
|tCreate and Configure the Database --|tCreate a Database
Link to the ORCL Instance --|tRevoke PUBLIC Grant on
Sensitive Data Dictionary Views --|tCreate the Remaining
Structures for Application Authorization --|tCreate Java
Structures --|tRemove Application Verification from the
ORCL Instance --|tTest Enhanced Security --|tEncode the
APPVER User Password for APVER Instance --|tEdit the
Application Passwords to Be Used --|tRun Main to Test --
|tRun Main to Copy Connection Strings to New Version --
|tTest from a Different Application, TestOracleJavaSecure
--|tCompile and Run as Administrative User, OSADMIN --
|tRun as Non-Administrative User, OSUSER --|tChapter
Review --|gch. 12|tAdministration of Security --|tSecurity
Administration Interface --|tApplication Login Screen --
|tApplication Inner Class --|tCenter Method --|tLogin
Screen Constructors --|t"Wait While Processing" Modal
Dialog --|tBackground Processing Thread --|tContinue
Button --|tLogin Screen Closes --|tSecurity Administration
Menu --|tAdd/Modify User Functional Screen --|tInstantiate
the AddUser Screen --|tInitialize the Data Selection
Components --|tSelect an Existing Employee --|tCreate a
New Employee --|tSave Data for the Employee --|tUser
Administration Screen --|tCreate the OJSAAdm User --
|tEnable the OJSAAdm User Across a Database Link --
|tSelect an Existing User --|tSave Updates to the
Administrative Privileges --|tRevoke User Access to Run
Applications --|tApplication Assignment Screen --
|tInitializing the Data Selection Components --|tSelecting
an Available Proxy in the Table --|tSelecting a User from
the List --|tAdding a Proxy to the User's List --
|tRemoving a Proxy from the User's List --|tSaving Updates
to the User's Proxies --|tApplication Registration Screen
--|tApplication Verification Administrator Role --|tCreate
App Class Button --|tTables of Specific Application
Administrators and Application to Class Registry --
|tSecurity Table Access Analysis --|tRegister Application
Button --|tApplication Selection Screen --|tInitializing
the List of Applications --|tSelecting the Manage Selected
Application Button --|tConnection String Editor --
|tInitializing the List of Connection Strings --
|tSelecting an Existing Connection String --|tUpdating a
Connection String in the List --|tSaving the List of
Connection Strings to the Database --|tConnection String
Copy Screen --|tLimiting Certain Administrators to Certain
Applications --|tVirtual Private Database --|tAdding a
Dynamic Where Clause to Procedures --|tAdding a Dynamic
Where Clause to a View --|tScripts Execution and Code
Compilation --|tFinal Updates to OracleJavaSecure --
|tSingle Oracle Instance Code --|tBootstrap OJSAdmin --
|tChapter Review.
520 Expert Oracle and Java Security: Programming Secure Oracle
Database Applications with Java provides resources that
every Java and Oracle database application programmer
needs to ensure that they have guarded the security of the
data and identities entrusted to them. You'll learn to
consider potential vulnerabilities, and to apply best
practices in secure Java and PL/SQL coding. Author David
Coffin shows how to develop code to encrypt data in
transit and at rest, to accomplish single sign-on with
Oracle proxy connections, to generate and distribute two-
factor authentication tokens from the Oracle server using
pagers, cell phones (SMS), and e-mail, and to securely
store and distribute Oracle application passwords. Early
chapters lay the foundation for effective security in an
Oracle/Java environment. Each of the later chapters brings
example code to a point where it may be applied as-is to
address application security issues. Templates for
applications are also provided to help you bring
colleagues up to the same secure application standards. If
you are less familiar with either Java or Oracle PL/SQL,
you will not be left behind; all the concepts in this book
are introduced as to a novice and addressed as to an
expert. Helps you protect against data loss, identity
theft, SQL injection, and address spoofing Provides
techniques for encryption on network and disk, code
obfuscation and wrap, database hardening, single sign-on
and two-factor Provides what database administrators need
to know about secure password distribution, Java secure
programming, Java stored procedures, secure application
roles in Oracle, logon triggers, database design, various
connection pooling schemes, and much more.
588 0 Online resource; title from PDF title page (EBSCO, viewed
November 29, 2017).
590 O'Reilly|bO'Reilly Online Learning: Academic/Public
Library Edition
630 00 Oracle (Computer file)
630 07 Oracle (Computer file)|2blmlsh
630 07 Oracle (Computer file)|2fast
650 0 Database security.
650 0 Java (Computer program language)
650 0 Data encryption (Computer science)
650 0 Data protection.
650 6 Bases de données|xSécurité|xMesures.
650 6 Java (Langage de programmation)
650 6 Chiffrement (Informatique)
650 6 Protection de l'information (Informatique)
650 7 Informatique.|2eclas
650 7 Data encryption (Computer science)|2fast
650 7 Data protection|2fast
650 7 Database security|2fast
650 7 Java (Computer program language)|2fast
653 00 computerwetenschappen
653 00 computer sciences
653 00 programmeren
653 00 programming
653 00 gegevensbeheer
653 00 data management
653 10 Information and Communication Technology (General)
653 10 Informatie- en communicatietechnologie (algemeen)
773 0 |tSpringer eBooks
776 08 |iPrinted edition:|z9781430238317
830 0 Expert's voice in Oracle.
856 40 |uhttps://ezproxy.naperville-lib.org/login?url=https://
learning.oreilly.com/library/view/~/9781430238317/?ar
|zAvailable on O'Reilly for Public Libraries
938 Askews and Holts Library Services|bASKH|nAH29395528
938 Books 24x7|bB247|nbks00043721
938 EBL - Ebook Library|bEBLB|nEBL883795
938 ebrary|bEBRY|nebr10520912
938 EBSCOhost|bEBSC|n1173488
938 ProQuest MyiLibrary Digital eBook Collection|bIDEB|n347715
938 YBP Library Services|bYANK|n7342935
994 92|bJFN