You are previewing Expert Oracle and Java Security: Programming Secure Oracle Database Applications with Java.
O'Reilly logo
Expert Oracle and Java Security: Programming Secure Oracle Database Applications with Java

Book Description

Expert Oracle and Java Security: Programming Secure Oracle Database Applications with Java provides resources that every Java and Oracle database application programmer needs to ensure that they have guarded the security of the data and identities entrusted to them. You'll learn to consider potential vulnerabilities, and to apply best practices in secure Java and PL/SQL coding. Author David Coffin shows how to develop code to encrypt data in transit and at rest, to accomplish single sign-on with Oracle proxy connections, to generate and distribute two-factor authentication tokens from the Oracle server using pagers, cell phones (SMS), and e-mail, and to securely store and distribute Oracle application passwords.

Early chapters lay the foundation for effective security in an Oracle/Java environment. Each of the later chapters brings example code to a point where it may be applied as-is to address application security issues. Templates for applications are also provided to help you bring colleagues up to the same secure application standards. If you are less familiar with either Java or Oracle PL/SQL, you will not be left behind; all the concepts in this book are introduced as to a novice and addressed as to an expert.

  • Helps you protect against data loss, identity theft, SQL injection, and address spoofing

  • Provides techniques for encryption on network and disk, code obfuscation and wrap, database hardening, single sign-on and two-factor

  • Provides what database administrators need to know about secure password distribution, Java secure programming, Java stored procedures, secure application roles in Oracle, logon triggers, database design, various connection pooling schemes, and much more

What you'll learn

  • Guard against data loss, identity theft, SQL Injection, and to address spoofing

  • Protect sensitive data through encryption, both on disk and on the wire

  • Control access to data using secure roles, single sign-on, proxy connections, and two-factor authentication

  • Protect sensitive source ode through randomization, obfuscation, and wrapping

  • Thwart attempts at SQL injection and other common attacks

  • Manage constraints on the visibility of data and the scope of access

Who this book is for

Expert Oracle and Java Security: Programming Secure Oracle Database Applications with Java is for every Java developer who uses an Oracle database. It is also for every Oracle database administrator or PL/SQL programmer who supports Java client and web applications. Whatever role you play in developing and supporting Java and Oracle applications, you need to address computer, application, data, and identity security. This book offers the tools you'll need to effectively manage security across all aspects of the applications you support.

Table of Contents

  1. Title
  2. Dedication
  3. Contents at a Glance
  4. Contents
  5. About the Author
  6. About the Technical Reviewer
  7. Acknowledgments
  8. Introduction
  9. Chapter 1: Introduction
    1. Requirements
    2. For Windows and UNIX/Linux Users
    3. Background
    4. How to Use This Book
    5. Organization of This Book
    6. Java Objects and Oracle Database Structures
    7. Chapter Review
  10. Chapter 2: Oracle Database Security
    1. Finding a Test Oracle Database
    2. Working from an Existing Oracle Database
    3. Oracle Users and Schemas
    4. SQL*Plus, SQL Developer, JDeveloper, or TOAD
    5. Organization of the Next Few Sections
    6. Working as the SYS User
    7. Working as the Security Administrator
    8. Working as the HR Schema User
    9. Test Application User Access
    10. Audit Trail Logs for the Sensitive View
    11. Regarding Synonyms
    12. Chapter Review
  11. Chapter 3: Secure Java Development Concepts
    1. Java Development Kit
    2. Oracle Java Database Connectivity
    3. JAR File Directory Separator
    4. Java Packages
    5. Development at Command Prompt
    6. Java Code and Syntax Concepts
    7. Exceptions
    8. Java Virtual Machine Sandbox
    9. Chapter Review
  12. Chapter 4: Java Stored Procedures
    1. Java Stored Procedure Example
    2. Method Syntax in Java Stored Procedures
    3. Cleaning Up
    4. The Oracle Java Virtual Machine
    5. Chapter Review
  13. Chapter 5: Public Key Encryption
    1. Generate Keys on the Client
    2. RSA Public Key Cryptography
    3. Java Code to Generate and Use RSA Keys
    4. Testing on the Client
    5. Key Exchange
    6. Testing on Client and Server
    7. Chapter Review
  14. Chapter 6: Secret Password Encryption
    1. Approach
    2. Java Code for Secret Password Encryption
    3. Oracle Structures for Secret Password Encryption
    4. Java Methods for Secret Password Decryption
    5. Testing DES Encryption on the Client Only
    6. Coding to Test Client/Server Secret Password Encryption
    7. Testing Our Secure Client/Server Data Transmission
    8. Chapter Review
  15. Chapter 7: Data Encryption in Transit
    1. Security Administrator Activities
    2. Application Security User Activities
    3. Updating the Application Security Package
    4. Methods for Using and Testing Encryption in Transit
    5. Loading Updated OracleJavaSecure Class into Oracle
    6. Security Structures for the HR User
    7. Inserting an EMPLOYEES Record: Update a Sequence
    8. Demonstrations and Tests of Encrypted Data Exchange
    9. Executing the Demonstrations and Tests
    10. Packaging Template to Implement Encryption
    11. Don't Stop Now
    12. Chapter Review
  16. Chapter 8: Single Sign-On
    1. Another Layer of Authentication?
    2. Who Is Logged-In on the Client?
    3. Access Oracle Database as Our Identified User
    4. Proxy Sessions
    5. Using Connection Pools
    6. Application Use of Oracle SSO
    7. Chapter Review
  17. Chapter 9: Two-Factor Authentication
    1. Get Oracle Database to Send E-Mail
    2. Getting Oracle Database to Browse Web Pages
    3. The Two-Factor Authentication Process
    4. Security Considerations for Two-Factor Distribution Avenues
    5. Oracle Structures Supporting Two-Factor Authentication
    6. Update for Two-Factor Authentication
    7. Testing Two-Factor Authentication
    8. Chapter Review
  18. Chapter 10: Application Authorization
    1. Secure Application Role Procedure for Multiple Applications
    2. Rewrite and Refactor Method to Distribute Two-Factor Code
    3. Update to Two-Factor Distribution Formats
    4. Application Authorization Overview
    5. User for Application Authorization
    6. Structures for Application Authorization
    7. A Set of Connection Strings for an Application
    8. Save Connection Strings from the Client Perspective
    9. Save Connection Strings from the Server Perspective
    10. Get an Application Connection String: The Java Client Side
    11. Get a List of Application Connection Strings: The Server Side
    12. Test Application Authentication, Phase 1
    13. Testing a Second Application
    14. Get Application Authentication Connection and Role
    15. Test Application Authentication, Phase 2
    16. Chapter Review
  19. Chapter 11: Enhancing Security
    1. Hide the APPVER Connection String
    2. Create an Oracle Client Wallet
    3. Trace Oracle Client Code
    4. Logging Oracle Thin Client Trace Data
    5. Encrypt Data Stored on Oracle Database
    6. Manage Connection Strings for Applications
    7. Add Other Authentication Credentials
    8. Update Application Security Structures
    9. Authenticate on a Separate Oracle Instance
    10. Test Enhanced Security
    11. Test from a Different Application, TestOracleJavaSecure
    12. Chapter Review
  20. Chapter 12: Administration of Security
    1. A Security Administration Interface
    2. Application Login Screen
    3. Security Administration Menu
    4. Add/Modify User Functional Screen
    5. User Administration Screen
    6. Application Assignment Screen
    7. Application Registration Screen
    8. Application Selection Screen
    9. Connection String Editor
    10. Connection String Copy Screen
    11. Limiting Certain Administrators to Certain Applications
    12. Scripts Execution and Code Compilation
    13. Final Updates to OracleJavaSecure
    14. Single Oracle Instance Code
    15. Bootstrap OJSAdmin
    16. Chapter Review
  21. Appendix A: List of Methods from OracleJavaSecure Class
  22. Appendix B: Oracle Procedures, Functions and Triggers for Oracle and Java Security
  23. Index