Daniel John Debrunner wrote: > Daniel John Debrunner wrote: > > >>Creating an external routine would have all sorts of security concerns >>for a database owner, it's allowing a remote user to execute code on >>their system. > > > I thought of a fairly clean solution for this in the 10.2 timeframe: > > Allow creation of Java routines (functions & procedures). >
> 2) Allow execution of Java routines that map into a public static method > loaded from a jar file installed into the database using > sqlj.install_jar. This is ok because the database owner must have > granted permission to install the jar and set the database classpath so > they showed they trusted the user already. This one may need to be more specific, maybe only if the jar file was installed in a schema owned by the routine owner. I found out that there is a USAGE permission on jar files, so if we want to support that in the future we would need to restrict access now to jars owned by the user. I need to look at this some more. Dan.
