{"id":1501,"date":"2017-05-06T22:34:23","date_gmt":"2017-05-06T22:34:23","guid":{"rendered":"http:\/\/nenadnoveljic.com\/blog\/?p=1501"},"modified":"2021-05-01T14:58:59","modified_gmt":"2021-05-01T14:58:59","slug":"oracle-jdbc-security","status":"publish","type":"post","link":"https:\/\/nenadnoveljic.com\/blog\/oracle-jdbc-security\/","title":{"rendered":"Oracle JDBC Security"},"content":{"rendered":"

ALLOWED_LOGON_VERSION_SERVER<\/h1>\n

The default behavior of Oracle database is to support connections coming from Oracle clients with lower, less secure versions of the authentication protocol. Since the negotiation process is seamless, there is no alert for the degradation of security if the database adjusts to a less secure client. There is a sqlnet.ora parameter SQLNET.ALLOWED_LOGON_VERSION_SERVER<\/a> to set the minimum authentication protocol allowed when connecting to Oracle Database instances. If the database client doesn’t support the defined authentication protocol, the error ORA-28040: No matching authentication protocol<\/em> will be returned to the client.<\/p>\n

I set different values for the SQLNET.ALLOWED_LOGON_VERSION_SERVER on a 12.2.0.1 database and tested various Oracle clients to find out which versions of the authentication protocols are effectively used by different clients. I repeated the tests for JDBC and instant clients and was surprised to find out that JDBC uses sometimes less secure authentication protocols than the regular and instant clients of the same version.<\/p>\n

JDBC<\/h1>\n

If you would like to test for yourself I’m providing the java class saved in ConnectDB.java:<\/p>\n

import java.sql.DriverManager;\nimport java.sql.Connection;\nimport java.sql.SQLException;\n\npublic class ConnectDB {\n    public static void main(String[] argv) {\n        try {\n            Class.forName(\"oracle.jdbc.driver.OracleDriver\");\n        } catch (ClassNotFoundException e) {\n            e.printStackTrace();\n            return;\n        }\n\n\ttry {\n            connection = DriverManager.getConnection(\n                \"jdbc:oracle:thin:@localhost:1521:DB\", \"user\", \"password\");\n        } catch (SQLException e) {\n            e.printStackTrace();\n            return;\n        }\n    }\n}<\/code><\/pre>\n
Compile the class with the following command:<\/p>\n
javac ConnectDB.java<\/code><\/pre>\n
And run it like this:<\/p>\n
java  -cp .:.\/ojdbc7.jar ConnectDB<\/code><\/pre>\n
Test Results<\/h1>\n
The following table provides an overview of the authentication protocol versions supported by various Oracle clients:
\n\n\n\n\n\t\n\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t\n\t
Client Version<\/th>Type<\/th>Protocol Version<\/th>\n<\/tr>\n<\/thead>\n
12.2.0.1<\/td>regular<\/td>12a<\/td>\n<\/tr>\n
12.2.0.1<\/td>instant<\/td>12a<\/td>\n<\/tr>\n
12.2.0.1<\/td>JDBC<\/td>12a<\/td>\n<\/tr>\n
12.1.0.2<\/td>regular<\/td>12a<\/td>\n<\/tr>\n
12.1.0.2<\/td>instant<\/td>12a<\/td>\n<\/tr>\n
12.1.0.2<\/td>JDBC<\/td>12<\/td>\n<\/tr>\n
12.1.0.1<\/td>regular<\/td>12<\/td>\n<\/tr>\n
12.1.0.1<\/td>instant<\/td>12<\/td>\n<\/tr>\n
12.1.0.1<\/td>JDBC<\/td>12<\/td>\n<\/tr>\n
11.2.0.4<\/td>regular<\/td>12<\/td>\n<\/tr>\n
11.2.0.4<\/td>instant<\/td>12<\/td>\n<\/tr>\n
11.2.0.4<\/td>JDBC<\/td>12<\/td>\n<\/tr>\n
10.2.0.5<\/td>instant<\/td>11<\/td>\n<\/tr>\n
10.2.0.5<\/td>JDBC<\/td>8<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nThe JDBC drivers which support lower versions of the authentication protocol than the regular and instant clients of the same version are marked red. Note that the authentication protocol version doesn’t necessarily correspond to the database version.<\/p>\n
Below are some conclusions derived from the table above:<\/p>\n