CHAPTER 3

ORACLE JAVA DATABASE CONNECTIVITY

CHAPTER CONTRIBUTOR: Dr. K. Ruth Ramya

3.1 INTRODUCTION TO ORACLE JAVA DATABASE CONNECTIVITY

Java Database Connectivity (JDBC) is an application programming interface (API) for Java that
allows Java applications to access and manipulate data stored in relational databases. JDBC provides a
standard way for Java applications to connect to different databases, regardless of the specific
database vendor or product.
There are many reasons why you might want to use JDBC in your Java applications:

Portability: JDBC allows you to write Java applications that can access data stored in a variety of
databases, without having to write separate code for each database.
Ease of use: JDBC provides a simple and easy-to-use API for accessing and manipulating database
data.
Performance: JDBC is a high-performance API that can efficiently access and manipulate data in
large databases.
Pluggability: JDBC is a pluggable API, which means that you can use different JDBC drivers to
connect to different databases.

JDBC works by providing a set of classes and interfaces that represent the different components of a
database connection, such as the database connection, the SQL statement, and the result set. These
classes and interfaces allow Java applications to interact with the database in a standard way,
regardless of the specific database vendor or product.

The core components of JDBC are:

Driver manager: The driver manager is responsible for loading the appropriate JDBC driver for the
database that you want to connect to.
Connection: A connection represents a connection to a database. You use a connection to execute
SQL statements against the database.
Statement: A statement represents an SQL statement that you want to execute against the database.
ResultSet: A result set contains the results of an SQL query.
How do I use JDBC?

To use JDBC, you need to follow these steps:

1. Load the JDBC driver for the database that you want to connect to.
2. Establish a connection to the database.
3. Create a statement object.
4. Execute an SQL statement using the statement object.
 5. Process the results of the SQL statement.
6. Close the connection to the database.

3.2 JAVA DATABASE CONNECTIVITY WITH ORACLE

To connect java application with the oracle database, we need to follow 5 following steps. In this
example, we are using Oracle 10g as the database. So we need to know following information for the
oracle database:
Driver class: The driver class for the oracle database is oracle.jdbc.driver.OracleDriver.
Connection URL: The connection URL for the oracle10G database is
jdbc:oracle:thin:@localhost:1521:xe where jdbc is the API, oracle is the database, thin is the driver,
localhost is the server name on which oracle is running, we may also use IP address, 1521 is the port
number and XE is the Oracle service name. You may get all these information from the tnsnames.ora
file.
Username: The default username for the oracle database is system.
Password: It is the password given by the user at the time of installing the oracle database.

Create a Table
Before establishing connection, let's first create a table in oracle database. Following is the SQL
query to create a table.
create table emp(id number(10),name varchar2(40),age number(3));

Example to Connect Java Application with Oracle database

In this example, we are connecting to an Oracle database and getting data from emp table. Here,
system and oracle are the username and password of the Oracle database.

import java.sql.*;
class OracleCon{
public static void main(String args[]){
try{
//step1 load the driver class
Class.forName("oracle.jdbc.driver.OracleDriver");

//step2 create the connection object

Connection con=DriverManager.getConnection(
"jdbc:oracle:thin:@localhost:1521:xe","system","oracle");

//step3 create the statement object

Statement stmt=con.createStatement();

//step4 execute query

ResultSet rs=stmt.executeQuery("select * from emp");
 while(rs.next())
System.out.println(rs.getInt(1)+" "+rs.getString(2)+" "+rs.getString(3));

//step5 close the connection object

con.close();

}catch(Exception e){ System.out.println(e);}

}
}
download this example
The above example will fetch all the records of emp table.

To connect java application with the Oracle database ojdbc14.jar file is required to be loaded.

download the jar file ojdbc14.jar

Two ways to load the jar file:
paste the ojdbc14.jar file in jre/lib/ext folder
set classpath
1) paste the ojdbc14.jar file in JRE/lib/ext folder:
Firstly, search the ojdbc14.jar file then go to JRE/lib/ext folder and paste the jar file here.
2) set classpath:
There are two ways to set the classpath:
temporary
permanent
How to set the temporary classpath:
Firstly, search the ojdbc14.jar file then open command prompt and write:
C:>set classpath=c:\folder\ojdbc14.jar;.;
How to set the permanent classpath:
Go to environment variable then click on new tab. In variable name write classpath and in
variable value paste the path to ojdbc14.jar by appending ojdbc14.jar;.; as C:\oraclexe\app\oracle\
product\10.2.0\server\jdbc\lib\ojdbc14.jar;.;

3.3 ORACLE ROLES

Database administrators can gather together a set of capabilities and permissions and then grant
those privileges and permissions to users using the sophisticated Oracle roles feature in Oracle
Database. As a result, it becomes easier to manage users and access control because fewer users will
require individualized privileges. Alternatively, users can be assigned roles, and those roles have a
predetermined set of permissions.
Various Oracle roles:
Types of Roles
 Predefined Roles: The Oracle Database has a number of built-in roles with predetermined
permissions. Predefined roles like DBA (Database Administrator), CONNECT, RESOURCE, and
others are frequently used.
Custom Roles: To group particular rights together, database administrators can define custom
roles. These customised jobs can be made to fit an application's or organization's unique requirements.
Roles can have a wide range of privileges, such as object privileges (such as SELECT, INSERT,
DELETE on certain tables) and system privileges (such as CREATE TABLE, SELECT ANY
TABLE). Other roles can also be bestowed with roles.

Assigning Roles: Users may be assigned to other roles or to individual users. A user inherits the
privileges that come with the role when they are assigned one.
Users may receive roles directly from other roles or indirectly through other roles. When a role is
granted to another position and the user receives the containing role, this is known as an indirect role
grant.

Roles can be withdrawn from users or from other roles. A role that has been revoked loses all of
its associated privileges, for both the user and the role.

Role nesting is supported by Oracle, allowing for the formation of a hierarchical role structure. In
complicated systems, this can assist organize and simplify privilege management.

Session Role Activation:

Users have the option to activate roles for their database sessions using the SET ROLE statement.
This allows users to enable roles they have been granted and utilize the associated privileges. Roles
can also be enabled automatically upon login, which is defined in the user's profile.
• Compared to super system privileges, roles are sets of permissions that are
significantly more specific, varied, and constrained.
• The recommended way to grant users access to the different privileges is to grant the
privileges to a role and then grant the role to the user, rather than granting the
SYSDBA privileges specified in the previous section.
• If you provide the new user the current role, you can still substitute another user for
an existing one in a job or duplicate the permissions needed for a work to another
user.
For instance, I could make a role called appaccess and give it permission to view
application tables. I could then give this position to a user. When I'm using another
device.
• Compared to super system privileges, the sets of privileges that are granted through
roles are far more specific, varied, and constrained.
• Assigning privileges to a role and then granting the role to the user is the
recommended way of providing users with access to the different privileges, as
opposed to assigning the SYSDBA privileges specified in the previous section.
• In the event that you do this, you can still add a new user to a job and transfer the
privileges necessary for that work to another user by just giving the new user the role
that already exists.
 • It could, for instance, construct a role called appaccess and give it the authority to
view application tables. • I could then provide this position to a user. When a different
user is here

i. DBA
This predefined role comes with Oracle upon installation and provides system
administrative privileges for the database; we will not grant this role to any user.
ii. CONNECT
This predefined role allows users to connect to Oracle; we are encouraged not to
use predefined roles, so we won’t.
iii. create_session_role
Our role to allow users to connect to Oracle.
iv. secadm_role
Our security administrator role; we will grant the privileges required to perform
security administration to this role, and we will grant this role to the SECADM
user.
v. hrview_role
Our secure application role for granting access to data in the human resources
(HR) sample schema.
vi. appsec_role
A non-default role used by APPSEC when configuring application security.
vii. appver_role
Secure application role for running application verification.

Fig 1.2 ORACLE USER PRIVILEGES

Note: Copyrights of this figure are reserved to original author

1.4 DBA ROLE

• In recent versions of Oracle, DBAs have been discouraged from using the DBA role.
• Rather, they are encouraged to create their own roles and grant only the required
administrative privileges.
• Therefore, we will not grant the DBA role to any user.
• We are going to create a security administrator role, secadm_role.
• We will use this role for most of our administrative actions.
• This approach adheres to the concept of “least privilege”, which means providing only the
privileges required for the task at hand.
• Oracle Database Vault is a product that allows you to use DBA and other privileged roles
while restricting their access.
• This is intended for users in the Ministry of Defense and National Security, where a database
administrator does not necessarily have access to the data.

Fig 1.1 DBA Role

Note: Copyrights of this figure are reserved to original author
The DBA (Database Administrator) role in Oracle is one of the most powerful and highly
privileged roles. The DBA role is typically assigned to users who have the responsibility of
managing and maintaining the Oracle database. Here is more information about the DBA role in
Oracle:

Privileges: Users assigned the DBA role are granted a wide range of system privileges, which
provide them with full control over the database. These privileges may include, but are not limited
to, the following:
CREATE, ALTER, and DROP any database object, such as tables, views, and indexes.
EXECUTE any PL/SQL or SQL code.
CREATE and manage users and roles.
ALTER and maintain database parameters.
Backup and recovery operations.
Control over database security, including granting and revoking privileges.
Responsibilities: Users with the DBA role are responsible for various tasks related to the
database, including but not limited to:

Installing and configuring the Oracle database software.

Creating and managing database instances.
Monitoring database performance and tuning it for optimal operation.
Implementing data security and access controls.
Managing backups and performing recovery in case of data loss.
Applying patches, updates, and database software upgrades.
Ensuring high availability and disaster recovery solutions.
Handling database schema changes and optimizations.
Managing database storage and space usage.
Special System Privileges: The DBA role includes several special system privileges that allow
DBAs to perform specific tasks, such as:

SYSDBA: This privilege provides unrestricted access to the database. Users with the SYSDBA
privilege can perform any administrative task, including shutting down the database.
SYSOPER: This privilege allows users to perform basic database operations, like starting and
stopping the database.
Security Considerations: Due to its extensive privileges, the DBA role should be assigned with
caution. Only trusted and authorized personnel should have this role to prevent unauthorized
access to sensitive data and critical database operations.

Password Management: It's essential to ensure strong password management for users assigned
the DBA role to prevent unauthorized access. Additionally, two-factor authentication and other
security measures should be considered.

Auditing: Auditing should be enabled to track the activities of users with the DBA role. Audit
logs can help monitor and investigate any suspicious or unauthorized activities.

Separation of Duties: It is a good practice to separate the DBA role from other roles, such as
application developer roles. This separation of duties helps maintain a clear boundary between
those responsible for database administration and those responsible for application development.

1.5 CREATE SESSION ROLE

• The CREATE SESSION privilege is required for a user to connect to an Oracle database.
• Traditionally, this was accomplished through a predefined role (it exists when you install
Oracle) named CONNECT.
• In current versions of the Oracle database, CONNECT has only one privilege. But in this
case, as with the DBA role, Oracle recommends administrators to create their own roles and not to
rely on the predefined roles. (like CONNECT). Do this as SYS:
CREATE ROLE create_session_role NOT IDENTIFIED;
 GRANT CREATE SESSION TO create_session_role;
• We will assign this role to all users of the database. It would take the exact effort to grant the
CREATE SESSION privilege to each user as it takes to grant create_session_role.
• However, roles have an advantage as a centralization of privileges. For example, if we wanted
to quickly give another privilege to all users, we could grant it to create_session_role.
• You are more likely to need to keep the database running, but want to prevent all users from
connecting to it. This can be done with a single command, revoking CREATE_SESSION from
create_session_role.
• The only odd feature is the NOT IDENTIFIED keyword.
• This simply indicates that when a user acquires that role, we have no password or encrypted
process to verify their access to it. A role of this type must be granted to a user (or other role) by
an administrative command.
• Usually, roles designated as NOT IDENTIFIED are also default roles, which a user acquires
automatically when they connect to the Oracle database.
• This is the most common configuration for a role. Using roles
• Most roles are created as default roles. When a user connects to an Oracle database, they
acquire all of their default roles and all of the privileges associated with those roles.
• Any normal NOT IDENTIFIED role can be set as default or not as default.
• When we assign a role to a new role, that role becomes the only role used, even if other roles
were used previously.
• Fortunately, the session has already been created (we are already logged in when the new role
is defined), so we can bear to lose the create_session_role.

EXAMPLE
The below figure shows database administrator role at different levels.

Fig 1.3 Relation between DBA and Users

Note: Copyrights of this figure are reserved to original author
1.6 SECURITY ADMINISTRATOR USER

The security administrator will be a separate non-personal user; that is, an account and password
that can be delegated to various people who turn in and out of job responsibility.
• The security administrator will perform tasks that would typically be performed by a DBA or
even SYS, but we will limit the privileges we grant to the security administrator to only aspects
related to application security.
• First of all, as SYS, we will create the user secadm and grant it the create_session_role, in one
step.
• Substitute a real password for “password” in this command:
GRANT create_session_role TO secadm IDENTIFIED BY password

1.7 SECURITY ADMINISTRATOR ROLE VERIFICATION

• All the privileges that the security administrator needs will be granted to secadm_role, so we
are going out of our way to protect it.
• The keywords IDENTIFIED USING sys.p_check_secadm_access indicate that when a user
attempts to acquire secadm_role, he will have to get it from the procedure named
p_check_secadm_access, which exists in the SYS schema.
• A stored procedure (procedure) is a named block of Procedural Language/Structured Query
• Language (PL/SQL) code that is stored and run (executed) on the Oracle database. Generally,
a procedure takes parameters and does work.
• It can also return information through its parameters. Oracle there are also stored functions
(functions), which are very similar to procedures except that they usually take values; do research
or calculations; and then return a single value as the result.
• We will be using both procedures and functions.
• The specific procedure used for verifying secadm_role, p_check_secadm_access does not
take any parameters (arguments or values passed to the procedure for evaluation), and does not
return any results.
• Most procedures do take parameters, but they don’t have to we are creating the procedure to
be used for acquiring the security administrator role.
• Note that the simple goal I have for this procedure is to require that the security administrator
be running on the same computer as the Oracle database server (the IP address 127.0.0.1 is also
known as the localhost or the loopback address).
 • This requirement may not be appropriate for your system; if not, you can still create the
procedure, but comment out the three lines that start with IF, THEN, and END IF by placing two
dashes (minus signs) in front of it.
• You can execute this command as SYS, and the procedure will be created.

Listing 2-1. p_check_secadm_access Procedure for Secure App Role

CREATE OR REPLACE PROCEDURE sys.p_check_secadm_access

AUTHID CURRENT_USER
AS
BEGIN
-- This is a comment
IF( SYS_CONTEXT( 'USERENV', 'IP_ADDRESS' ) = '127.0.0.1' )
THEN
EXECUTE IMMEDIATE 'SET ROLE secadm_role';
END IF;
END;
/
• We will want to come back and visit (replace) this procedure later, adding whatever
additional security constraints we deem appropriate.
• For now, our Security Administrator must be connected directly to the Oracle Database
(running SQL*Plus on the server.)
• As a programmer, you will already understand the IF/THEN/END IF syntax and realize there
are otherPL/SQL grammar requirements like the BEGIN/END and the semicolons.
• Look at the code between the BEGIN flag and the last END flag. Between there it says, in
English, “if the user’s environment has an Internet Protocol (IP) address of the local host, then
immediately set his role to secadm_role.”
• We are using the SYS_CONTEXT context to get the IP address from the user environment,
and we are determining if the address is equal to 127.0.0.1 (localhost).
• If that test is true, then we immediately set the role for the current session to secadm_role.

1.8 SECURITY ADMINISTRATOR ACQUISITION

We are not nearly done defining our Security Administrator yet.

• We need to permit the Security Administrator to execute the procedure we created. We do
that by issuing the following command:
GRANT EXECUTE ON sys.p_check_secadm_access TO secadm;
• Notice that we don’t need to grant secadm_role to secadm; rather, if the user meets all the
requirements of the procedure (p_check_secadm_access), then that IDENTIFIED USING procedure
will set his role to secadm_role.
• There is a similar restriction here: either you grant a role, or you grant the ability to run a
procedure, which will define the role. In either case, you restrict access to the role by requiring a
specific assignment. However, by using the procedure to define the role, you can place other access
restrictions.
• Note that in this case, we are granting a privilege (to perform the procedure) to a user directly,
instead of, as we recommended previously, granting permissions to a role and granting the role to a
user. .
• Every rule has exceptions! The reason for this specific exception is that we protect a role with
a procedure.
• We do not need to further protect the procedure with a role.
• The Security Administrator, secadm user can acquire secadm_role by executing the procedure
as shown below.
• In fact, every time secadm connects to Oracle Database, he will need to call that procedure to
get the secadm_role role.
EXEC sys.p_check_secadm_access;

SELF ASSESSMENT QUESTIONS

1. Which of the following is NOT a benefit of using user roles?

A. Increased security
B. Reduced administrative overhead
C. Improved performance
D. Easier user management

2. Which of the following commands can be used to create a new user role?
A. CREATE ROLE
B. GRANT ROLE
C. REVOKE ROLE
D. ALTER ROLE

3. Which of the following commands can be used to grant a user role to another user?
A. CREATE ROLE
B. GRANT ROLE
C. REVOKE ROLE
 D. ALTER ROLE

4. Which of the following commands can be used to revoke a user role from another user?
A. CREATE ROLE
B. GRANT ROLE
C. REVOKE ROLE
D. ALTER ROLE

5. What is the difference between a user role and a scheme?

A. A user role is a logical grouping of users, while a scheme is a logical grouping of database
objects.
B. A user role can only be created by a system administrator, while a scheme can be created by
any user.
C. A user role can only be granted to users, while a scheme can be granted to users, roles, or other
schemes.
D. All of the above.

6. Which of the following commands can be used to create a new schema?

A. CREATE USER
B. CREATE ROLE
C. CREATE SCHEMA
D. CREATE TABLE

7. Which of the following commands can be used to grant a schema to a user or role?
A. GRANT SCHEMA
B. GRANT OBJECT
C. REVOKE SCHEMA
D. ALTER SCHEMA

8. Which of the following commands can be used to revoke a schema from a user or role?
A. GRANT SCHEMA
B. GRANT OBJECT
C. REVOKE SCHEMA
D. ALTER SCHEMA

9. What is the difference between a public schema and a private schema?

A. A public schema is accessible to all users, while a private schema is only accessible to the user
who created it.
B. A public schema can be modified by any user, while a private schema can only be modified by
the user who created it.
C. A public schema cannot be deleted, while a private schema can be deleted.
D. All of the above.

10. Which CIA triangle element provides information protection from loss or destruction?
a) Confidentiality
b) Integrity
c) Availability

11. Which of the following is an example of an active security attack?

a) Eavesdropping
b) Password cracking
c) Man-in-the-middle attack
d) Traffic analysis

12. Which security mechanism provides confidentiality for data transmission?

a) Hash function
b) Digital signature
c) Symmetric encryption
d) Intrusion Detection System (IDS)

13. Which security service ensures that data is not altered during transmission?
a) Authentication
b) Integrity
c) Availability
d) Non-repudiation

14. Which security service provides proof of the origin and integrity of data?
a) Authentication
b) Confidentiality
c) Non-repudiation
d) Availability
15. Which security mechanism is used to prevent unauthorized access to a network?
a) Firewall
b) Public key infrastructure (PKI)
c) Intrusion Detection System (IDS)
d) Virtual Private Network (VPN)

16. Which security attack aims to disrupt or overload a system or network?

a) Eavesdropping
b) Brute-force attack
c) Denial of Service (DoS) attack
d) Phishing attack

17. Which security service ensures that only authorized users can access resources?
a) Authorization
b) Confidentiality
c) Availability
d) Non-repudiation

18. Which security mechanism provides a secure method for exchanging encryption keys?
a) Digital signature
b) Hash function
c) Key distribution center (KDC)
d) Public key cryptography

19. Which security attack involves the interception and capture of data during transmission?
a) Spoofing attack
b) Replay attack
c) Man-in-the-middle attack
d) Phishing attack

20. Which model is used to describe network security goals and mechanisms?
a) OSI model
b) TCP/IP model
c) Kerberos model
d) CIA model
 21. The CIA model stands for:
a) Confidentiality, Integrity, Authentication
b) Confidentiality, Integrity, Availability
c) Cryptography, Intrusion Detection, Authorization
d) Communication, Integrity, Access control

22. Which security goal ensures that data is not disclosed to unauthorized parties?
a) Confidentiality
b) Integrity
c) Availability
d) Non-repudiation

23. The process of converting plaintext into cipher-text is known as:

a) Decryption
b) Authentication
c) Hashing
d) Encryption

TERMINAL QUESTIONS
1. What are the different types of user roles in Oracle Database?
2. How do you create a new user role?
3. How do you grant a user role to another user?
4. How do you revoke a user role from another user?
5. Summarize DBA Roles with user activities?
6. How do you list all users in an Oracle database using SQL on the command line?
7. How do you create a new user with a specific tablespace in Oracle using SQL on the
command line?
8. How do you grant a user the CONNECT and RESOURCE roles in Oracle using SQL on the
command line?
9. How do you create a schema for a user in Oracle using SQL on the command line?
10. How do you change the password of an existing user in Oracle using SQL on the command
line?
11. How do you list the objects (tables, views, etc.) owned by a specific user in Oracle using
SQL on the command line