| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Cannot grant permissions with dbms_java
Thanks, will try that!
Oliver
rs_arwar_at_hotmail.com (Rauf Sarwar) wrote in message news:<92eeeff0.0301261038.475df750_at_posting.google.com>...
> Never use <<ALL_FILES>> permission. Secondly no need for java_admin
> role to be granted to user TEST. Better would be to create a role e.g.
> MY_JAVA_ROLE and run grants against that role then grant that role to
> the users...much easier to maintain.
>
> You would have to commit; after running java grants. Also I noticed
> that you are using 'java.io.FilePermission'. Instead it should be
> 'SYS:java.io.FilePermission'. Here is a script I use for java file
> grants. Works everytime.
>
> -- Define super user. In your case TEST
> DEFINE SUPER_USER = &SUPER_USER
> -- Local fixed directory
> DEFINE DIR_NAME = &DIR_NAME
> -- Java role with all grants
> DEFINE JAVA_ROLE = &JAVA_ROLE
>
> -- Create new role and grant to Super_User
> DROP ROLE &JAVA_ROLE
> /
> CREATE ROLE &JAVA_ROLE NOT IDENTIFIED
> /
> GRANT &JAVA_ROLE TO &SUPER_USER WITH ADMIN OPTION
> /
>
> -- Drop all previous JAVA_ROLE grants. May be commented out.
> DECLARE
> CURSOR get_rec_ IS
> SELECT seq
> FROM dba_java_policy
> WHERE UPPER(grantee) = '&JAVA_ROLE';
> BEGIN
> FOR rec_ IN get_rec_ LOOP
> DBMS_JAVA.DISABLE_PERMISSION(rec_.seq);
> DBMS_JAVA.DELETE_PERMISSION(rec_.seq);
> END LOOP;
> END;
> /
>
> -- Run grants. '-' at the end means recursive grants
> -- on all child directories
> DECLARE
> dir_name_ VARCHAR2(512) := '&DIR_NAME';
> temp_ VARCHAR2(1);
> BEGIN
> temp_ := SUBSTR(dir_name_, LENGTH(dir_name_), 1);
> IF (INSTR(dir_name_, '\', 1, 1) != 0) THEN
> IF ((temp_ !='\') AND (temp_ != '-')) THEN
> dir_name_ := dir_name_ || '\-';
> ELSIF (temp_ = '\') THEN
> dir_name_ := dir_name_ || '-';
> END IF;
> ELSIF (INSTR(dir_name_, '/', 1, 1) != 0) THEN
> IF ((temp_ != '/') AND (temp_ != '-')) THEN
> dir_name_ := dir_name_ || '/-';
> ELSIF (temp_ = '/') THEN
> dir_name_ := dir_name_ || '-';
> END IF;
> END IF;
> DBMS_JAVA.GRANT_PERMISSION
> ( '&JAVA_ROLE',
> 'SYS:java.io.FilePermission',
> dir_name_,
> 'read,write,delete,execute' );
> DBMS_JAVA.GRANT_PERMISSION
> ( '&JAVA_ROLE',
> 'SYS:java.lang.RuntimePermission',
> 'readFileDescriptor',
> NULL );
> DBMS_JAVA.GRANT_PERMISSION
> ( '&JAVA_ROLE',
> 'SYS:java.lang.RuntimePermission',
> 'writeFileDescriptor',
> NULL );
> DBMS_JAVA.GRANT_PERMISSION
> ( '&JAVA_ROLE',
> 'SYS:java.util.PropertyPermission',
> dir_name_,
> 'read,write' );
> END;
> /
> COMMIT
> /
>
> UNDEFINE SUPER_USER
> UNDEFINE DIR_NAME
> UNDEFINE JAVA_ROLE
>
> Regards
> /Rauf Sarwar
>
>
>
> Tim X <timx_at_spamto.devnul.com> wrote in message news:<87bs248loj.fsf_at_tiger.rapttech.com.au>...
> > >>>>> "Oliver" == Oliver Demus <oliver_at_demus-online.de> writes:
> >
> > Oliver> Cannot grant permissions with dbms_java Hello, I am having
> > Oliver> problems with a stored procedure (PL/SQL) which calls a java
> > Oliver> class stored externally (mapped to DB using CREATE DIRECTORY,
> > Oliver> CREATE JAVA CLASS). The java class calls a .bat file.
> > Oliver> Calling the stored procedure gives
> >
> > Oliver> * ERROR at line 1: ORA-29532: Java call terminated by
> > Oliver> uncaught Java exception:
> > Oliver> java.security.AccessControlException: the Permission
> > Oliver> (java.io.FilePermission <<ALL
> > FILES> execute) has not been granted by dbms_java.grant_permission to
> > Oliver> SchemaProtectionDomain(TEST|PolicyTableProxy(TEST))
> > Oliver> ORA-06512: at "TEST.PROC_BATCH", line 0 ORA-06512: at line 1
> >
> > Oliver> Using dbms_java does not solve this. exec
> > Oliver> dbms_java.grant_permission('TEST', 'java.io.FilePermission',
> > Oliver> '<<ALL_FILES>>', 'read,execute');
> >
> > Oliver> User TEST has DBA rights (inc. JAVA_ADMIN)
> >
> > Firstly, don't use <<ALL FILES>> - this could create a major security
> > hole as it gives access to everything the user Oracle is running as
> > has access to. Instead explicitly list the files/directories you want
> > access to. You can use the '*' for everything within a directory and
> > '+' for recursive access to fiels and sub-directories etc.
> >
> > I don't think you should give the JAVA_ADMIN permission - instead use
> > fine grained access control so that you know exactly what the procedure can
> > and cannot do.
> >
> > If you are createing files/directories, you need to also provide
> > 'write' permisison.
> >
> > I think you only need execute permission if you want to execute and OS
> > prog/script. If this is the case you also need to grant permission to
> > create a java runtime object - I cant remember the actual name, but it
> > is listed in the manual.
> >
> > I'm not exactly sure why you are getting the rror, but I suspect its
> > an interaction between the permissions of the TEST schema and those
> > granted to JAVA_ADMIN. I suspect JAVA_ADIN does not have permission to
> > execute on <<ALL FILES>>. If you just use fine grained access control,
> > the picture will probably be clearer.
> >
> > Tim
Received on Mon Jan 27 2003 - 02:30:26 CST
 |
 |