Pete Finnigan's Oracle Security Weblog

I saw an interesting entry in Mark Rittmans weblog entitled "Introduction To Java Stored Procedures" yesterday and decided to take a look as I am always interested in Java and Oracle and PL/SQL - especially from a security perspective. There are not many articles on Java used inside the database and security. This is a subject that needs to be expanded.

Even on a general level I have not seen many really good introductions on how to use Java in stored procedures. The article that Mark has found is the exception; this is a very good introduction article to this subject.

The article is called "Oracle and Java Stored Procedures" and is written by By Michael Klaene. There are two pages, the first is here, and the second here.

The fact that Oracle have added a Java virtual machine into the Oracle kernel has meant that it is now easy t use Java programs within the database and also to use Java to extend the functionality of PL/SQL programs beyond where was possible with just PL/SQL. Of course the same can be done with C and external procedures.

I read somewhere once, it could have been Tom or Steve, I am not sure that if you can do the task in SQL then you should, if not then use PL/SQL and if not then use Java or even C. This is good advice especially from a security perspective as the more extensive the language used, e.g. Java or C, then he more potential for damage there is.

As I said this is a great paper, it covers the four main steps in writing Java to run inside the database, 1) writing the Java classes, 2) compiling and loading, 3) publishing by providing a PL/SQL interface and 4) actually calling the interface PL/SQL procedure to execute the Java.

The article even explains, although briefly the issues of classpaths and the Oracle resolver. Also discussed is the fact that it’s possible to load the class (compiled code) and also the source into the database or just the class or compiled code. The security aspects of this are not discussed.

There are some very clear examples given in this paper and the paper finishes by talking about file IO with Java. This is an area that has to be looked at carefully as it can be easy to expose access to the underlying file system that could allow a hacker to gain control of the machine.

Again this is a very good paper. It would be interesting to see a paper dedicated to secure Java programming in database stored procedures. Maybe I will write it when I have time :)