Re: Cannot grant permissions with dbms_java

Never use <<ALL_FILES>> permission. Secondly no need for java_admin role to be granted to user TEST. Better would be to create a role e.g. MY_JAVA_ROLE and run grants against that role then grant that role to the users...much easier to maintain.

You would have to commit; after running java grants. Also I noticed that you are using 'java.io.FilePermission'. Instead it should be 'SYS:java.io.FilePermission'. Here is a script I use for java file grants. Works everytime.

• Define super user. In your case TEST DEFINE SUPER_USER = &SUPER_USER
• Local fixed directory DEFINE DIR_NAME = &DIR_NAME
• Java role with all grants DEFINE JAVA_ROLE = &JAVA_ROLE
• Create new role and grant to Super_User DROP ROLE &JAVA_ROLE / CREATE ROLE &JAVA_ROLE NOT IDENTIFIED / GRANT &JAVA_ROLE TO &SUPER_USER WITH ADMIN OPTION /
• Drop all previous JAVA_ROLE grants. May be commented out. DECLARE CURSOR get_rec_ IS SELECT seq FROM dba_java_policy WHERE UPPER(grantee) = '&JAVA_ROLE'; BEGIN FOR rec_ IN get_rec_ LOOP DBMS_JAVA.DISABLE_PERMISSION(rec_.seq); DBMS_JAVA.DELETE_PERMISSION(rec_.seq); END LOOP; END; /
• Run grants. '-' at the end means recursive grants
• on all child directories DECLARE dir_name_ VARCHAR2(512) := '&DIR_NAME'; temp_ VARCHAR2(1); BEGIN temp_ := SUBSTR(dir_name_, LENGTH(dir_name_), 1); IF (INSTR(dir_name_, '\', 1, 1) != 0) THEN IF ((temp_ !='\') AND (temp_ != '-')) THEN dir_name_ := dir_name_ || '\-'; ELSIF (temp_ = '\') THEN dir_name_ := dir_name_ || '-'; END IF; ELSIF (INSTR(dir_name_, '/', 1, 1) != 0) THEN IF ((temp_ != '/') AND (temp_ != '-')) THEN dir_name_ := dir_name_ || '/-'; ELSIF (temp_ = '/') THEN dir_name_ := dir_name_ || '-'; END IF; END IF; DBMS_JAVA.GRANT_PERMISSION ( '&JAVA_ROLE',
  'SYS:java.io.FilePermission',
  dir_name_,
  'read,write,delete,execute' );
  DBMS_JAVA.GRANT_PERMISSION ( '&JAVA_ROLE',
  'SYS:java.lang.RuntimePermission',
  'readFileDescriptor',
  NULL ); DBMS_JAVA.GRANT_PERMISSION ( '&JAVA_ROLE',
  'SYS:java.lang.RuntimePermission',
  'writeFileDescriptor',
  NULL ); DBMS_JAVA.GRANT_PERMISSION ( '&JAVA_ROLE',
  'SYS:java.util.PropertyPermission',
  dir_name_,
  'read,write' );
  END; / COMMIT /

UNDEFINE SUPER_USER
UNDEFINE DIR_NAME
UNDEFINE JAVA_ROLE Regards
/Rauf Sarwar

Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs248loj.fsf_at_tiger.rapttech.com.au>...

> >>>>> "Oliver" == Oliver Demus <oliver_at_demus-online.de> writes:
> 
>  Oliver> Cannot grant permissions with dbms_java Hello, I am having
>  Oliver> problems with a stored procedure (PL/SQL) which calls a java
>  Oliver> class stored externally (mapped to DB using CREATE DIRECTORY,
>  Oliver> CREATE JAVA CLASS).  The java class calls a .bat file.
>  Oliver> Calling the stored procedure gives
> 
>  Oliver> * ERROR at line 1: ORA-29532: Java call terminated by
>  Oliver> uncaught Java exception:
>  Oliver> java.security.AccessControlException: the Permission
>  Oliver> (java.io.FilePermission <<ALL
>  FILES> execute) has not been granted by dbms_java.grant_permission to
>  Oliver> SchemaProtectionDomain(TEST|PolicyTableProxy(TEST))
>  Oliver> ORA-06512: at "TEST.PROC_BATCH", line 0 ORA-06512: at line 1
> 
>  Oliver> Using dbms_java does not solve this.  exec
>  Oliver> dbms_java.grant_permission('TEST', 'java.io.FilePermission',
>  Oliver> '<<ALL_FILES>>', 'read,execute');
> 
>  Oliver> User TEST has DBA rights (inc. JAVA_ADMIN)
> 
> Firstly, don't use <<ALL FILES>> - this could create a major security
> hole as it gives access to everything the user Oracle is running as
> has access to. Instead explicitly list the files/directories you want
> access to. You can use the '*' for everything within a directory and
> '+' for recursive access to fiels and sub-directories etc.
> 
> I don't think you should give the JAVA_ADMIN permission - instead use
> fine grained access control so that you know exactly what the procedure can
> and cannot do. 
> 
> If you are createing files/directories, you need to also provide
> 'write' permisison.
> 
> I think you only need execute permission if you want to execute and OS
> prog/script. If this is the case you also need to grant permission to
> create a java runtime object - I cant remember the actual name, but it
> is listed in the manual. 
> 
> I'm not exactly sure why you are getting the rror, but I suspect its
> an interaction between the permissions of the TEST schema and those
> granted to JAVA_ADMIN. I suspect JAVA_ADIN does not have permission to
> execute on <<ALL FILES>>. If you just use fine grained access control,
> the picture will probably be clearer.
> 
> Tim