Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Slightly OT: Java in the DB

RE: Slightly OT: Java in the DB

From: Vergara, Michael (TEM) <mvergara_at_guidant.com>
Date: Mon, 23 Feb 2004 15:20:27 -0800
Message-ID: <791D0E1ECDECD04D89205F33806FC38701E91BFC@temmse06.tem.guidant.com>


Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3FA63.9EE97A7F"
------_=_NextPart_001_01C3FA63.9EE97A7F

Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Ahhh...but that's the trick! The user's only authentication is to the admin database. Once the user clicks on 'Submit' I was intending to hand it off to a PL/SQL module owned by an admin user. The 'real' user never sees that part. =20

-----Original Message-----

From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com] Sent: Monday, February 23, 2004 3:09 PM
To: oracle-l_at_freelists.org
Subject: RE: Slightly OT: Java in the DB

Creating an app that allows users to connect to the database as a=20 DBA to change a passwords sounds like it have good potential=20 for security holes.=20

You sure you want to do this?=20

How often does a user with an expired account really need to do this?=20

Jared=20

        "Vergara, Michael (TEM)" <mvergara_at_guidant.com>=20 Sent by: oracle-l-bounce_at_freelists.org=20

 02/23/2004 01:11 PM=20
 Please respond to oracle-l=20

       =20
        To:        <oracle-l_at_freelists.org>=20
        cc:        =20
        Subject:        RE: Slightly OT: Java in the DB



What I am trying to do seems so simple that I still cannot=20 believe I'm not done yet!

I want to build a web page where a 'normal' (non-privileged) user can go, enter his/her login, see a list of the DB's where he/she has an account, enter a new password, click a checkbox (or -boxes), and have the web page call a <Choose- -utility-here> routine to go out and update the user's password on the selected DBs.

I can do everything except get the DB update to work.

There's no daemon. This is intended to be an on-demand=20 utility. There's a central server/instance that has definitions to all the DBs in the TNSNAMES.ORA file. From this DB I harvest the user logins nightly, to build the list to present to the user. I *know* I can connect, although to do the harvest I create a temporary database link, instead of using Java or whatever.

It's the silly step of changing the password. The problem is that the user may wait until after the p/w has expired, so they cannot log in. I found the OCINewPassword routine will do a password change even on a expired login. But ARG! This is the second (or is it third) method I've tried and they have all had one kind of issue or another.

Any more suggestions?

Thanks,
Mike

-----Original Message-----

From: Mladen Gogala [mailto:mladen_at_wangtrading.com] Sent: Monday, February 23, 2004 12:21 PM To: oracle-l_at_freelists.org
Subject: Re: Slightly OT: Java in the DB

Exactly what are you trying to do? For having a daemon (or demon, for that matter) lurking in the darnkness of the central server and resetting expired passwords, the daemon needs to maintain a permanent connection with sufficient privileges to change any user's password, typically, a dba connection. If your DBA doesn't use profiles, with=20 the idle time limitation, you can have a permanently connected process=20 which would change password as soon as it was signalled to him. The=20 question is: what would the password be changed to? There are strings which are extremely hard tu guess (username, "qwerty", "password", = "tiger")
and which would make your username secure. At one of my places of work, I've witnessed the following story: a tech support expert leaves a unix worsktation logged in, as root, and goes home at 6 PM, when = cleaning=20
ladies entered the office. One of the cleaning ladies had a 14 years old son which wanted to check the old joke with "rm -rf /". He found out=20 that it really does destroy everything on a unix system. Now, you are = absent,
your password expires at 7 P.M. and there is an eager help desk person = who
wants to test "drop tablescpace FIN_DATA including contents and = datafiles=20
cascade constraints" that he or she has seen written somewhere. I'll = leave=20
the rest of the story to you.



Please see the official ORACLE-L FAQ: http://www.orafaq.com

To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line.
--

Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html

------_=_NextPart_001_01C3FA63.9EE97A7F

Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4930.1700" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D582011923-23022004><FONT face=3D"Courier New" =
color=3D#0000ff=20
size=3D2>Ahhh...but that's the trick!&nbsp; The user's only = authentication=20
is</FONT></SPAN></DIV>
<DIV><SPAN class=3D582011923-23022004><FONT face=3D"Courier New" = color=3D#0000ff=20
size=3D2>to the admin database.&nbsp; Once the user clicks on 'Submit'=20 I</FONT></SPAN></DIV>
<DIV><SPAN class=3D582011923-23022004><FONT face=3D"Courier New" = color=3D#0000ff=20
size=3D2>was intending to hand it off to a PL/SQL module owned by=20 an</FONT></SPAN></DIV>
<DIV><SPAN class=3D582011923-23022004><FONT face=3D"Courier New" = color=3D#0000ff=20
size=3D2>admin user.&nbsp; The 'real' user never sees that=20 part.</FONT></SPAN></DIV>
<DIV><SPAN class=3D582011923-23022004></SPAN>&nbsp;</DIV> <BLOCKQUOTE>
  <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B> = Jared.Still_at_radisys.com=20
  [mailto:Jared.Still_at_radisys.com]<BR><B>Sent:</B> Monday, February 23, = 2004=20
  3:09 PM<BR><B>To:</B> oracle-l_at_freelists.org<BR><B>Subject:</B> RE: = Slightly=20
  OT: Java in the DB<BR><BR></FONT></DIV><BR><FONT face=3Dsans-serif=20   size=3D2>Creating an app that allows users to connect to the database = as=20
  a</FONT> <BR><FONT face=3Dsans-serif size=3D2>DBA to change a = passwords sounds=20
  like it have good potential</FONT> <BR><FONT face=3Dsans-serif = size=3D2>for=20
  security holes.</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>You = sure you want=20
  to do this?</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>How often = does a user=20
  with an expired account really need to do this?</FONT> <BR><BR><FONT=20   face=3Dsans-serif size=3D2>Jared</FONT> <BR><BR><BR><BR>   <TABLE width=3D"100%">
    <TBODY>
    <TR vAlign=3Dtop>
      <TD>
      <TD><FONT face=3Dsans-serif size=3D1><B>"Vergara, Michael (TEM)"=20
        &lt;mvergara_at_guidant.com&gt;</B></FONT> <BR><FONT =
face=3Dsans-serif=20
        size=3D1>Sent by: oracle-l-bounce_at_freelists.org</FONT>=20
        <P><FONT face=3Dsans-serif size=3D1>&nbsp;02/23/2004 01:11 =
PM</FONT>=20
        <BR><FONT face=3Dsans-serif size=3D2>&nbsp;</FONT><FONT =
face=3Dsans-serif=20
        size=3D1>Please respond to oracle-l</FONT> <BR></P>
      <TD><FONT face=3DArial size=3D1>&nbsp; &nbsp; &nbsp; &nbsp; =
</FONT><BR><FONT=20
        face=3Dsans-serif size=3D1>&nbsp; &nbsp; &nbsp; &nbsp; To: =
&nbsp; &nbsp;=20
        &nbsp; &nbsp;&lt;oracle-l_at_freelists.org&gt;</FONT> <BR><FONT=20
        face=3Dsans-serif size=3D1>&nbsp; &nbsp; &nbsp; &nbsp; cc: =
&nbsp; &nbsp;=20
        &nbsp; &nbsp;</FONT> <BR><FONT face=3Dsans-serif size=3D1>&nbsp; =
&nbsp;=20
        &nbsp; &nbsp; Subject: &nbsp; &nbsp; &nbsp; &nbsp;RE: Slightly =
OT: Java=20
        in the DB</FONT></TR></TBODY></TABLE><BR><BR><BR><FONT =
face=3D"Courier New"=20
  size=3D2>What I am trying to do seems so simple that I still cannot = <BR>believe=20
  I'm not done yet!<BR><BR>I want to build a web page where a 'normal'=20   (non-privileged)<BR>user can go, enter his/her login, see a list of = the=20
  DB's<BR>where he/she has an account, enter a new password, click = a<BR>checkbox=20
  (or -boxes), and have the web page call a = &lt;Choose-<BR>the-utility-here&gt;=20
  routine to go out and update the user's<BR>password on the selected=20   DBs.<BR><BR>I can do everything except get the DB update to=20   work.<BR><BR>There's no daemon. &nbsp;This is intended to be an = on-demand=20
  <BR>utility. &nbsp;There's a central server/instance that = has<BR>definitions=20
  to all the DBs in the TNSNAMES.ORA file. &nbsp;From<BR>this DB I = harvest the=20
  user logins nightly, to build the list<BR>to present to the user. = &nbsp;I=20
  *know* I can connect, although to<BR>do the harvest I create a = temporary=20
  database link, instead of<BR>using Java or whatever.<BR><BR>It's the = silly=20
  step of changing the password. &nbsp;The problem is<BR>that the user = may wait=20
  until after the p/w has expired, so they<BR>cannot log in. &nbsp;I = found the=20
  OCINewPassword routine will do a<BR>password change even on a expired = login.=20
  &nbsp;But ARG! &nbsp;This is<BR>the second (or is it third) method = I've tried=20
  and they have all<BR>had one kind of issue or another.<BR><BR>Any more =

  suggestions?<BR><BR>Thanks,<BR>Mike<BR><BR><BR>-----Original=20   Message-----<BR>From: Mladen Gogala =
[mailto:mladen_at_wangtrading.com]<BR>Sent:=20   Monday, February 23, 2004 12:21 PM<BR>To: = oracle-l_at_freelists.org<BR>Subject:=20
  Re: Slightly OT: Java in the DB<BR><BR><BR>Exactly what are you trying = to do?=20
  For having a daemon (or demon,<BR>for that matter) lurking in the = darnkness of=20
  the central server and<BR>resetting expired passwords, the daemon = needs to=20
  maintain a permanent<BR>connection with sufficient privileges to = change any=20
  user's password,<BR>typically, a dba connection. If your DBA doesn't = use=20
  profiles, with <BR>the idle time limitation, you can have a = permanently=20
  connected process <BR>which would change password as soon as it was = signalled=20
  to him. The <BR>question is: what would the password be changed to? = There are=20
  strings<BR>which are extremely hard tu guess (username, "qwerty", = "password",=20
  "tiger")<BR>and which would make your username secure. At one of my = places=20
  of<BR>work, I've witnessed the following story: a tech support expert=20   leaves<BR>a unix worsktation logged in, as root, and goes home at 6 = PM, when=20
  cleaning <BR>ladies entered the office. One of the cleaning ladies had = a 14=20
  years old<BR>son which wanted to check the old joke with "rm -rf /". = &nbsp;He=20
  found out <BR>that it really does destroy everything on a unix system. = Now,=20
  you are absent,<BR>your password expires at 7 P.M. and there is an = eager help=20
  desk person who<BR>wants to test "drop tablescpace FIN_DATA including = contents=20
  and datafiles <BR>cascade constraints" that he or she has seen written =

  somewhere. I'll leave <BR>the rest of the story to=20   =

you.<BR><BR>-------------------------------------------------------------=

---<BR>Please=20

  see the official ORACLE-L FAQ:=20
  =
http://www.orafaq.com<BR>------------------------------------------------=

----------------<BR>To=20

  unsubscribe send email to: &nbsp;oracle-l-request_at_freelists.org<BR>put =

  'unsubscribe' in the subject line.<BR>--<BR>Archives are at=20   http://www.freelists.org/archives/oracle-l/<BR>FAQ is at=20   =

http://www.freelists.org/help/fom-serve/cache/1.html<BR>-----------------=

------------------------------------------------<BR></FONT><BR><BR></BLOC=
KQUOTE></BODY></HTML>

------_=_NextPart_001_01C3FA63.9EE97A7F--

------=_NextPartTM-000-49fd6c98-a00b-4184-a78a-eb5a379df5eb--



Please see the official ORACLE-L FAQ: http://www.orafaq.com

To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line.
--

Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
Received on Mon Feb 23 2004 - 17:17:27 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US