Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> Re: RE: Slightly OT: Java in the DB
-----Original Message-----
From: Jared.Still@radisys.com [mailto:Jared.Still@radisys.com]
Sent: Monday, February 23, 2004 5:52 PM
To: oracle-l@freelists.org
Subject: RE: Slightly OT: Java in the DB
I'm not a security expert, but it seems to me there are some
exploits you would need to take into consideration.
SQL Injection comes to mind.
Also, if 2+ users have expired passwords, do you have a
mechanism to prevent user Bob (with an expired account )
from changing Susans password ( also expired ) ?
Are the passwords generated and then mailed to the correct user?
Jared
"Vergara, Michael (TEM)" <mvergara@guidant.com>
Sent by: oracle-l-bounce@freelists.org02/23/2004 03:20 PM
Please respond to oracle-l
To: <oracle-l@freelists.org>
cc:
Subject: RE: Slightly OT: Java in the DB
Ahhh...but that's the trick! The user's only authentication is
to the admin database. Once the user clicks on 'Submit' I
was intending to hand it off to a PL/SQL module owned by an
admin user. The 'real' user never sees that part.
-----Original Message-----
From: Jared.Still@radisys.com [mailto:Jared.Still@radisys.com]
Sent: Monday, February 23, 2004 3:09 PM
To: oracle-l@freelists.org
Subject: RE: Slightly OT: Java in the DB
Creating an app that allows users to connect to the database as a
DBA to change a passwords sounds like it have good potential
for security holes.
You sure you want to do this?
How often does a user with an expired account really need to do this?
Jared
"Vergara, Michael (TEM)" <mvergara@guidant.com>
Sent by: oracle-l-bounce@freelists.org02/23/2004 01:11 PM
Please respond to oracle-l
To: <oracle-l@freelists.org>
cc:
Subject: RE: Slightly OT: Java in the DB
What I am trying to do seems so simple that I still cannot
believe I'm not done yet!
I want to build a web page where a 'normal' (non-privileged)
user can go, enter his/her login, see a list of the DB's
where he/she has an account, enter a new password, click a
checkbox (or -boxes), and have the web page call a <Choose-
the-utility-here> routine to go out and update the user's
password on the selected DBs.
I can do everything except get the DB update to work.
There's no daemon. This is intended to be an on-demand
utility. There's a central server/instance that has
definitions to all the DBs in the TNSNAMES.ORA file. From
this DB I harvest the user logins nightly, to build the list
to present to the user. I *know* I can connect, although to
do the harvest I create a temporary database link, instead of
using Java or whatever.
It's the silly step of changing the password. The problem is
that the user may wait until after the p/w has expired, so they
cannot log in. I found the OCINewPassword routine will do a
password change even on a expired login. But ARG! This is
the second (or is it third) method I've tried and they have all
had one kind of issue or another.
Any more suggestions?
Thanks,
Mike
-----Original Message-----
From: Mladen Gogala [mailto:mladen@wangtrading.com]
Sent: Monday, February 23, 2004 12:21 PM
To: oracle-l@freelists.org
Subject: Re: Slightly OT: Java in the DB
Exactly what are you trying to do? For having a daemon (or demon,
for that matter) lurking in the darnkness of the central server and
resetting expired passwords, the daemon needs to maintain a permanent
connection with sufficient privileges to change any user's password,
typically, a dba connection. If your DBA doesn't use profiles, with
the idle time limitation, you can have a permanently connected process
which would change password as soon as it was signalled to him. The
question is: what would the password be changed to? There are strings
which are extremely hard tu guess (username, "qwerty", "password", "tiger")
and which would make your username secure. At one of my places of
work, I've witnessed the following story: a tech support expert leaves
a unix worsktation logged in, as root, and goes home at 6 PM, when cleaning
ladies entered the office. One of the cleaning ladies had a 14 years old
son which wanted to check the old joke with "rm -rf /". He found out
that it really does destroy everything on a unix system. Now, you are absent,
your password expires at 7 P.M. and there is an eager help desk person who
wants to test "drop tablescpace FIN_DATA including contents and datafiles
cascade constraints" that he or she has seen written somewhere. I'll leave
the rest of the story to you.
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Tue Feb 24 2004 - 09:26:54 CST