Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: JDBC connection using externally identified user

Re: JDBC connection using externally identified user

From: Peter Hitchman <pjhoraclel_at_gmail.com>
Date: Fri, 26 Oct 2007 14:03:38 +0100
Message-ID: <5e317f310710260603g6cee8dbdk8b38e355c921e18b@mail.gmail.com> 





Hmm,


Yes you are right, I am doing this for a development database only, to get
the developers working in jdbc, using their ops$ login without the need to
create specific accounts. In the longer run the application code will run
from a machine separate to the database server, so I will need a more secure
solution. But I am not a fan of specific "pseudo" accounts created on the
database, that get encoded in connection strings, the passwords always get
out and then something bad happens and the DBA has no real idea who did it.



Regards



Pete



On 10/26/07, Dan Norris <dannorris_at_dannorris.com> wrote:


>

> remote_os_authent=false should be a hidden parameter IMHO. When

> remote_os_authent=true, consider this scenario:

>

> 1. You set this parameter in your DB

> 2. I create a user on my desktop (or, if I lack privs on my desktop,

> install VMWare Server, install a guest OS and create a user in that) that

> matches the OS-authenticated username in your DB

> 3. I can login to your DB with that OS-authenticated user even though I'm

> not on your application server or DB server.

>

> remote_os_authent should be banned forever. Even a non-hacker like me can

> figure out how to exploit it, so it must be easy!

>

> So, it may work, but I suggest that you don't want it to work since the

> consequences may be great.

>

> Dan

>

> ----- Original Message ----

> From: Peter Hitchman <pjhoraclel_at_gmail.com>

> To: oracle-l <oracle-l_at_freelists.org>

> Sent: Friday, October 26, 2007 4:13:46 AM

> Subject: Re: JDBC connection using externally identified user

>

> Hi,

> I hit the same issue and after I allowed the database to allow remote OS

> authentication this worked in 10.2.0.3:

>

> class testcon{

>

>     public static void main(String args[]) throws SQLException {

>         OracleDataSource ods = new OracleDataSource();

>         String url = "jdbc:oracle:oci:@<YOUR_SID>";

>         ods.setURL(url);

>         ods.setUser("");

>         ods.setPassword ("");

>

> .

> .

> .}

>

> Using the DriverManager it can look like this:

>

> .

> .

> DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());

> Connection conn=DriverManager.getConnection("jdbc:oracle:oci:/@<YOUR_SID>");

> .

> .

>

> Regards

>

> Pete

>

>




-- 
Regards

Pete

--
http://www.freelists.org/webpage/oracle-l


Received on Fri Oct 26 2007 - 08:03:38 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US