Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Cannot grant permissions with dbms_java
Never use <<ALL_FILES>> permission. Secondly no need for java_admin
role to be granted to user TEST. Better would be to create a role e.g.
MY_JAVA_ROLE and run grants against that role then grant that role to
the users...much easier to maintain.
You would have to commit; after running java grants. Also I noticed that you are using 'java.io.FilePermission'. Instead it should be 'SYS:java.io.FilePermission'. Here is a script I use for java file grants. Works everytime.
UNDEFINE SUPER_USER
UNDEFINE DIR_NAME
UNDEFINE JAVA_ROLE
Regards
/Rauf Sarwar
Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs248loj.fsf_at_tiger.rapttech.com.au>...
> >>>>> "Oliver" == Oliver Demus <oliver_at_demus-online.de> writes: > > Oliver> Cannot grant permissions with dbms_java Hello, I am having > Oliver> problems with a stored procedure (PL/SQL) which calls a java > Oliver> class stored externally (mapped to DB using CREATE DIRECTORY, > Oliver> CREATE JAVA CLASS). The java class calls a .bat file. > Oliver> Calling the stored procedure gives > > Oliver> * ERROR at line 1: ORA-29532: Java call terminated by > Oliver> uncaught Java exception: > Oliver> java.security.AccessControlException: the Permission > Oliver> (java.io.FilePermission <<ALL > FILES> execute) has not been granted by dbms_java.grant_permission to > Oliver> SchemaProtectionDomain(TEST|PolicyTableProxy(TEST)) > Oliver> ORA-06512: at "TEST.PROC_BATCH", line 0 ORA-06512: at line 1 > > Oliver> Using dbms_java does not solve this. exec > Oliver> dbms_java.grant_permission('TEST', 'java.io.FilePermission', > Oliver> '<<ALL_FILES>>', 'read,execute'); > > Oliver> User TEST has DBA rights (inc. JAVA_ADMIN) > > Firstly, don't use <<ALL FILES>> - this could create a major security > hole as it gives access to everything the user Oracle is running as > has access to. Instead explicitly list the files/directories you want > access to. You can use the '*' for everything within a directory and > '+' for recursive access to fiels and sub-directories etc. > > I don't think you should give the JAVA_ADMIN permission - instead use > fine grained access control so that you know exactly what the procedure can > and cannot do. > > If you are createing files/directories, you need to also provide > 'write' permisison. > > I think you only need execute permission if you want to execute and OS > prog/script. If this is the case you also need to grant permission to > create a java runtime object - I cant remember the actual name, but it > is listed in the manual. > > I'm not exactly sure why you are getting the rror, but I suspect its > an interaction between the permissions of the TEST schema and those > granted to JAVA_ADMIN. I suspect JAVA_ADIN does not have permission to > execute on <<ALL FILES>>. If you just use fine grained access control, > the picture will probably be clearer. > > TimReceived on Sun Jan 26 2003 - 12:38:21 CST