Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Cannot grant permissions with dbms_java

Re: Cannot grant permissions with dbms_java

From: Oliver Demus <oliver_at_demus-online.de>
Date: 26 Jan 2003 09:10:02 -0800
Message-ID: <62e59750.0301260910.27c59374@posting.google.com> 





Got the solution, I had to grant the following also:
java.lang.RuntimePermission','writeFileDescriptor' and
java.lang.RuntimePermission','readFileDescriptor'



now it works




Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs248loj.fsf_at_tiger.rapttech.com.au>...


> >>>>> "Oliver" == Oliver Demus <oliver_at_demus-online.de> writes:

> 

>  Oliver> Cannot grant permissions with dbms_java Hello, I am having

>  Oliver> problems with a stored procedure (PL/SQL) which calls a java

>  Oliver> class stored externally (mapped to DB using CREATE DIRECTORY,

>  Oliver> CREATE JAVA CLASS).  The java class calls a .bat file.

>  Oliver> Calling the stored procedure gives

> 

>  Oliver> * ERROR at line 1: ORA-29532: Java call terminated by

>  Oliver> uncaught Java exception:

>  Oliver> java.security.AccessControlException: the Permission

>  Oliver> (java.io.FilePermission <<ALL

>  FILES> execute) has not been granted by dbms_java.grant_permission to

>  Oliver> SchemaProtectionDomain(TEST|PolicyTableProxy(TEST))

>  Oliver> ORA-06512: at "TEST.PROC_BATCH", line 0 ORA-06512: at line 1

> 

>  Oliver> Using dbms_java does not solve this.  exec

>  Oliver> dbms_java.grant_permission('TEST', 'java.io.FilePermission',

>  Oliver> '<<ALL_FILES>>', 'read,execute');

> 

>  Oliver> User TEST has DBA rights (inc. JAVA_ADMIN)

> 

> Firstly, don't use <<ALL FILES>> - this could create a major security

> hole as it gives access to everything the user Oracle is running as

> has access to. Instead explicitly list the files/directories you want

> access to. You can use the '*' for everything within a directory and

> '+' for recursive access to fiels and sub-directories etc.

> 

> I don't think you should give the JAVA_ADMIN permission - instead use

> fine grained access control so that you know exactly what the procedure can

> and cannot do. 

> 

> If you are createing files/directories, you need to also provide

> 'write' permisison.

> 

> I think you only need execute permission if you want to execute and OS

> prog/script. If this is the case you also need to grant permission to

> create a java runtime object - I cant remember the actual name, but it

> is listed in the manual. 

> 

> I'm not exactly sure why you are getting the rror, but I suspect its

> an interaction between the permissions of the TEST schema and those

> granted to JAVA_ADMIN. I suspect JAVA_ADIN does not have permission to

> execute on <<ALL FILES>>. If you just use fine grained access control,

> the picture will probably be clearer.

> 

> Tim

Received on Sun Jan 26 2003 - 11:10:02 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US