Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: Cannot grant permissions with dbms_java

Re: Cannot grant permissions with dbms_java

From: Tim X <timx_at_spamto.devnul.com>
Date: 26 Jan 2003 17:33:32 +1100
Message-ID: <87bs248loj.fsf@tiger.rapttech.com.au> 





>>>>> "Oliver" == Oliver Demus <oliver_at_demus-online.de> writes:



 Oliver> Cannot grant permissions with dbms_java Hello, I am having
 Oliver> problems with a stored procedure (PL/SQL) which calls a java
 Oliver> class stored externally (mapped to DB using CREATE DIRECTORY,
 Oliver> CREATE JAVA CLASS).  The java class calls a .bat file.
 Oliver> Calling the stored procedure gives

 Oliver> * ERROR at line 1: ORA-29532: Java call terminated by
 Oliver> uncaught Java exception:




 Oliver> java.security.AccessControlException: the Permission
 Oliver> (java.io.FilePermission <<ALL


 FILES> execute) has not been granted by dbms_java.grant_permission to
 Oliver> SchemaProtectionDomain(TEST|PolicyTableProxy(TEST))
 Oliver> ORA-06512: at "TEST.PROC_BATCH", line 0 ORA-06512: at line 1


 Oliver> Using dbms_java does not solve this.  exec
 Oliver> dbms_java.grant_permission('TEST', 'java.io.FilePermission',
 Oliver> '<<ALL_FILES>>', 'read,execute');





 Oliver> User TEST has DBA rights (inc. JAVA_ADMIN)



Firstly, don't use <<ALL FILES>> - this could create a major security
hole as it gives access to everything the user Oracle is running as
has access to. Instead explicitly list the files/directories you want
access to. You can use the '*' for everything within a directory and
'+' for recursive access to fiels and sub-directories etc.



I don't think you should give the JAVA_ADMIN permission - instead use
fine grained access control so that you know exactly what the procedure can
and cannot do. 



If you are createing files/directories, you need to also provide
'write' permisison.



I think you only need execute permission if you want to execute and OS
prog/script. If this is the case you also need to grant permission to
create a java runtime object - I cant remember the actual name, but it
is listed in the manual. 



I'm not exactly sure why you are getting the rror, but I suspect its
an interaction between the permissions of the TEST schema and those
granted to JAVA_ADMIN. I suspect JAVA_ADIN does not have permission to
execute on <<ALL FILES>>. If you just use fine grained access control,
the picture will probably be clearer.



Tim


-- 
Tim Cross
The e-mail address on this message is FALSE (obviously!). My real e-mail is
to a company in Australia called rapttech and my login is tcross - if you 
really need to send mail, you should be able to work it out!


Received on Sun Jan 26 2003 - 00:33:32 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US