Oracle Advanced Secuity encryption with Spring JDBC xml configuration

1
votes

Is there a way to bring the encryption features of Oracle advanced Security into Spring JDBC dataSource configuation?

The DBA told me to pass the following arguments into the connection on client side. 

sqlnet.encryption_client = requested
sqlnet.encryption_types_client = (RC4_128)
sqlnet.crypto_checksum_client = requested
sqlnet.crypto_checksum_types_client = (MD5)

According to the Oracle Documentation, encryption can be set for thin driver, by adding the arguments to the OracleConnection via good old java.util.Properties.

However, I can not find a way doing this with my Spring dataSource.xml configuration.
The dataSource bean works fine:

<bean id="dataSource"
    class="oracle.jdbc.pool.OracleDataSource" destroy-method="close"> 
    <property name="URL" value="${datasource.url}" />
    <property name="user" value="${datasource.user}" />
    <property name="password" value="${datasource.password}" />
    <property name="connectionCachingEnabled" value="true"/>
</bean>

But unfortunately the required properties aren't understood and bring the following Exception

Caused by: org.springframework.beans.NotWritablePropertyException: Invalid property 'encryption_client' of bean class [oracle.jdbc.pool.OracleDataSource]

<property name="encryption_client" value="${datasource.encryption_client}"/>
    <property name="encryption_types_client" value="${datasource.encryption_types_client}"/>
    <property name="crypto_checksum_client" value="${datasource.crypto_checksum_client}"/>
    <property name="crypto_checksum_types_client" value="${datasource.crypto_checksum_types_client}"/>
  1. In the Spring documentation I see that there are only a handful attributes mentioned.
  2. Looking again at the example in the Oracle Documentation, the properties are set like this OracleDataSource ods = new OracleDataSource();ods.setProperties(prop)
    ... but the API hasn't a setProperties() method.
    (https:// docs.oracle.com/cd/E18283_01/appdev.112/e13995/oracle/jdbc/pool/OracleDataSource.html)

I'm quite confused :(
Any help or hint is highly appreciated.

TL;TR
Is there any solution for handing over these Oracle encryption properties to Spring?

2
springoracleencryptionjdbcconfiguration

2 Answers

2
votes

The Oracle properties are not given in the Spring DataSource API so you have to set the additional properties after the bean is inited. You can do this with a class that implements 'beanpostprocessor'. Also, since this is Spring you need to get a handle to the current dataSource to set the additional properties without blowing up the bean init. You cannot use Autowire in the class cause then the PostProcessor will skip that bean. So, you have to cast the bean. Then you can use setConnectionProperties to init the parameters required by Oracle rather than setting the properties in the Spring bean which will not work and gives the error described above.

Also you should fix the title of this topic Secuity-->Security. Sorry if the formatting is off as I am new to posting answers.

@Component
public class OracleConfigurer implements BeanPostProcessor {

@Override
public Object postProcessBeforeInitialization(Object bean, String name) throws BeansException {


final Logger LOG = LoggerFactory.getLogger(OracleConfigurer.class);
    if (bean instanceof DriverManagerDataSource) {
          Properties properties = ((DriverManagerDataSource) bean).getConnectionProperties();
          if (null == properties) properties = new Properties();
                properties.put("oracle.net.encryption_types_client", "(AES256)");
                properties.put("oracle.net.crypto_checksum_client", "REQUIRED");
                properties.put("oracle.net.encryption_client", "REQUIRED");
                DriverManagerDataSource dataSource = ((DriverManagerDataSource) bean);
                dataSource.setConnectionProperties(properties);
        }
        return bean;
    }

    @Override
    public Object postProcessAfterInitialization(Object bean, String name) throws
        BeansException {
        return bean;
    }
}
-1
votes

Please refer to OracleConnection which have the correct name for security related connection properties. For Example: 

Properties connProps = new Properties();

// For Data Integrity Check    connProps.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_TYPES, "( MD5, SHA1, SHA256, SHA384 or SHA512 )");    connProps.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_CHECKSUM_LEVEL, "REQUIRED");

// For Data Encryption    connProps.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_LEVEL, REQUIRED");    connProps.setProperty(OracleConnection.CONNECTION_PROPERTY_THIN_NET_ENCRYPTION_TYPES,"(DES40C)");

// OracleDataSource – Oracle JDBC Connection
OracleDataSource ods = new OracleDataSource();
ods.setConnectionProperties(connProps);

Also, refer to Security section of Connection Management Strategies whitepaper and also Security Whitepaper.