Re: Cannot grant permissions with dbms_java

Not sure, but this might work:

dbms_java.grant_permission('TEST',
'SYS:java.RunimePermission','ReadFileDescriptor',);

Use this to see all permissions:
SELECT * FROM DBA_JAVA_POLICY WHERE grantee = 'TEST'

There are some good threads about running an external command on www.asktom.oracle.com.

Make sure that the "oracle" user id has execute permissions on the batch file.

"Tim X" <timx_at_spamto.devnul.com> wrote in message news:87bs248loj.fsf_at_tiger.rapttech.com.au...
> >>>>> "Oliver" == Oliver Demus <oliver_at_demus-online.de> writes:
>
> Oliver> Cannot grant permissions with dbms_java Hello, I am having
> Oliver> problems with a stored procedure (PL/SQL) which calls a java
> Oliver> class stored externally (mapped to DB using CREATE DIRECTORY,
> Oliver> CREATE JAVA CLASS). The java class calls a .bat file.
> Oliver> Calling the stored procedure gives
>
> Oliver> * ERROR at line 1: ORA-29532: Java call terminated by
> Oliver> uncaught Java exception:
> Oliver> java.security.AccessControlException: the Permission
> Oliver> (java.io.FilePermission <<ALL
> FILES> execute) has not been granted by dbms_java.grant_permission to
> Oliver> SchemaProtectionDomain(TEST|PolicyTableProxy(TEST))
> Oliver> ORA-06512: at "TEST.PROC_BATCH", line 0 ORA-06512: at line 1
>
> Oliver> Using dbms_java does not solve this. exec
> Oliver> dbms_java.grant_permission('TEST', 'java.io.FilePermission',
> Oliver> '<<ALL_FILES>>', 'read,execute');
>
> Oliver> User TEST has DBA rights (inc. JAVA_ADMIN)
>
> Firstly, don't use <<ALL FILES>> - this could create a major security
> hole as it gives access to everything the user Oracle is running as
> has access to. Instead explicitly list the files/directories you want
> access to. You can use the '*' for everything within a directory and
> '+' for recursive access to fiels and sub-directories etc.
>
> I don't think you should give the JAVA_ADMIN permission - instead use
> fine grained access control so that you know exactly what the procedure
can
> and cannot do.
>
> If you are createing files/directories, you need to also provide
> 'write' permisison.
>
> I think you only need execute permission if you want to execute and OS
> prog/script. If this is the case you also need to grant permission to
> create a java runtime object - I cant remember the actual name, but it
> is listed in the manual.
>
> I'm not exactly sure why you are getting the rror, but I suspect its
> an interaction between the permissions of the TEST schema and those
> granted to JAVA_ADMIN. I suspect JAVA_ADIN does not have permission to
> execute on <<ALL FILES>>. If you just use fine grained access control,
> the picture will probably be clearer.
>
> Tim
>
> --
> Tim Cross
> The e-mail address on this message is FALSE (obviously!). My real e-mail
is
> to a company in Australia called rapttech and my login is tcross - if you
> really need to send mail, you should be able to work it out!
Received on Tue Feb 04 2003 - 09:17:26 CST