No...each user has to enter their own old password into
a
field on the web form, then enter their new password.
If
the old password is incorrect, the process *should*
throw
an error.
The only way Bob could change Susan's password is if
he
knows the old one. That never happens, does it?
;)
But that does give me the idea of an
administrator-type
function to change another user's password, similar
to
a DBA's use of 'alter user...'.
And I know I am displaying my ignorance here, but what
is
'SQL Injection'?
Cheers,
Mike
I'm
not a security expert, but it seems to me there are some
exploits you would need to take into
consideration.
SQL Injection comes
to mind.
Also, if 2+ users have
expired passwords, do you have a
mechanism to prevent user Bob (with an expired account )
from changing Susans password ( also expired
) ?
Are the passwords generated
and then mailed to the correct user?
Jared
|
| "Vergara, Michael (TEM)"
<mvergara@guidant.com>
Sent by: oracle-l-bounce@freelists.org
02/23/2004 03:20 PM
Please respond to oracle-l
|
To:
<oracle-l@freelists.org>
cc:
Subject: RE: Slightly OT: Java
in the DB |
Ahhh...but that's the trick! The user's only
authentication is
to the
admin database. Once the user clicks on 'Submit' I
was intending to hand it off to a PL/SQL
module owned by an
admin
user. The 'real' user never sees that part.
-----Original Message-----
From: Jared.Still@radisys.com
[mailto:Jared.Still@radisys.com]
Sent: Monday, February 23, 2004
3:09 PM
To: oracle-l@freelists.org
Subject: RE: Slightly
OT: Java in the DB
Creating an
app that allows users to connect to the database as a
DBA to
change a passwords sounds like it have good potential
for
security holes.
You sure you want to do this?
How
often does a user with an expired account really need to do this?
Jared
|
| "Vergara, Michael (TEM)"
<mvergara@guidant.com>
Sent by:
oracle-l-bounce@freelists.org
02/23/2004 01:11 PM
Please respond to
oracle-l
|
To:
<oracle-l@freelists.org>
cc:
Subject:
RE: Slightly OT: Java in the
DB |
What I am trying to
do seems so simple that I still cannot
believe I'm not done yet!
I
want to build a web page where a 'normal' (non-privileged)
user can go,
enter his/her login, see a list of the DB's
where he/she has an account,
enter a new password, click a
checkbox (or -boxes), and have the web page
call a <Choose-
the-utility-here> routine to go out and update the
user's
password on the selected DBs.
I can do everything except get
the DB update to work.
There's no daemon. This is intended to be
an on-demand
utility. There's a central server/instance that
has
definitions to all the DBs in the TNSNAMES.ORA file. From
this
DB I harvest the user logins nightly, to build the list
to present to the user. I *know* I can
connect, although to
do the harvest I create a temporary database link,
instead of
using Java or whatever.
It's the silly step of changing
the password. The problem is
that the user may wait until after the
p/w has expired, so they
cannot log in. I found the OCINewPassword
routine will do a
password change even on a expired login. But ARG!
This is
the second (or is it third) method I've tried and they have
all
had one kind of issue or another.
Any more
suggestions?
Thanks,
Mike
-----Original
Message-----
From: Mladen Gogala [mailto:mladen@wangtrading.com]
Sent:
Monday, February 23, 2004 12:21 PM
To: oracle-l@freelists.org
Subject:
Re: Slightly OT: Java in the DB
Exactly what are you trying to do?
For having a daemon (or demon,
for that matter) lurking in the darnkness of
the central server and
resetting expired passwords, the daemon needs to
maintain a permanent
connection with sufficient privileges to change any
user's password,
typically, a dba connection. If your DBA doesn't use
profiles, with
the idle time limitation, you can have a permanently
connected process
which would change password as soon as it was signalled
to him. The
question is: what would the password be changed to? There are
strings
which are extremely hard tu guess (username, "qwerty", "password",
"tiger")
and which would make your username secure. At one of my places
of
work, I've witnessed the following story: a tech support expert
leaves
a unix worsktation logged in, as root, and goes home at 6 PM, when
cleaning
ladies entered the office. One of the cleaning ladies had a 14
years old
son which wanted to check the old joke with "rm -rf /". He
found out
that it really does destroy everything on a unix system. Now,
you are absent,
your password expires at 7 P.M. and there is an eager help
desk person who
wants to test "drop tablescpace FIN_DATA including contents
and datafiles
cascade constraints" that he or she has seen written
somewhere. I'll leave
the rest of the story to
you.
----------------------------------------------------------------
Please
see the official ORACLE-L FAQ:
http://www.orafaq.com
----------------------------------------------------------------
To
unsubscribe send email to: oracle-l-request@freelists.org
put
'unsubscribe' in the subject line.
--
Archives are at
http://www.freelists.org/archives/oracle-l/
FAQ is at
http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Please see the official ORACLE-L FAQ:
http://www.orafaq.com
To unsubscribe send email to: oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Received on Tue Feb 24 2004 - 09:26:54 CST
