| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: RE: Slightly OT: Java in the DB
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C3FAEE.CD7F8666"
------_=_NextPart_001_01C3FAEE.CD7F8666
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I don't know...I'll have to try it and see.
=20
Thanks for the tip.
=20
Mike
-----Original Message-----
From: Cary Millsap [mailto:cary.millsap_at_hotsos.com]
Sent: Tuesday, February 24, 2004 7:44 AM
To: oracle-l_at_freelists.org
Subject: RE: RE: Slightly OT: Java in the DB
Can someone type the following response into your form's field?
=20
fake-password' OR 'x'=3D'x
=20
That's an example of SQL injection. Type "sql injection" to google, and = you'll get several thousand more examples.
=20
Cary Millsap
Hotsos Enterprises, Ltd.
http://www.hotsos.com
Nullius in verba
Upcoming events:
- Performance <http://www.hotsos.com/training/PD101.html> Diagnosis =
101: 2/24 San Diego, 3/23 Park City, 4/6 Seattle
- Hotsos Symposium 2004 <http://www.hotsos.com/events/symposium/2004> : =
March 7-10 Dallas
- Visit www.hotsos.com for schedule details...
-----Original Message-----
From: oracle-l-bounce_at_freelists.org =
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of ryan.gaffuri_at_cox.net
Sent: Tuesday, February 24, 2004 9:29 AM
To: oracle-l_at_freelists.org
Subject: Re: RE: Slightly OT: Java in the DB
=20
No...each user has to enter their own old password into a
field on the web form, then enter their new password. If
the old password is incorrect, the process *should* throw
an error.
=20
The only way Bob could change Susan's password is if he
knows the old one. That never happens, does it? ;)
=20
But that does give me the idea of an administrator-type
function to change another user's password, similar to
a DBA's use of 'alter user...'.
=20
And I know I am displaying my ignorance here, but what is
'SQL Injection'?
=20
Cheers,
Mike
=20
-----Original Message-----
From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]
Sent: Monday, February 23, 2004 5:52 PM
To: oracle-l_at_freelists.org
Subject: RE: Slightly OT: Java in the DB
I'm not a security expert, but it seems to me there are some=20 exploits you would need to take into consideration.=20
SQL Injection comes to mind.=20
Also, if 2+ users have expired passwords, do you have a=20 mechanism to prevent user Bob (with an expired account )=20 from changing Susans password ( also expired ) ?=20
Are the passwords generated and then mailed to the correct user?=20
Jared=20
=20
"Vergara, Michael (TEM)" <mvergara_at_guidant.com>=20 Sent by: oracle-l-bounce_at_freelists.org=20
02/23/2004 03:20 PM=20
Please respond to oracle-l=20
=20
To: <oracle-l_at_freelists.org>=20
cc: =20
Subject: RE: Slightly OT: Java in the DB
Ahhh...but that's the trick! The user's only authentication is=20
to the admin database. Once the user clicks on 'Submit' I=20
was intending to hand it off to a PL/SQL module owned by an=20
admin user. The 'real' user never sees that part.=20
=20
-----Original Message-----
From: Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]
Sent: Monday, February 23, 2004 3:09 PM
To: oracle-l_at_freelists.org
Subject: RE: Slightly OT: Java in the DB
Creating an app that allows users to connect to the database as a=20 DBA to change a passwords sounds like it have good potential=20 for security holes.=20
You sure you want to do this?=20
How often does a user with an expired account really need to do this?=20
Jared=20
=20
"Vergara, Michael (TEM)" <mvergara_at_guidant.com>=20 Sent by: oracle-l-bounce_at_freelists.org=20
02/23/2004 01:11 PM=20
Please respond to oracle-l=20
=20
To: <oracle-l_at_freelists.org>=20
cc: =20
Subject: RE: Slightly OT: Java in the DB
What I am trying to do seems so simple that I still cannot=20 believe I'm not done yet!
I want to build a web page where a 'normal' (non-privileged) user can go, enter his/her login, see a list of the DB's where he/she has an account, enter a new password, click a checkbox (or -boxes), and have the web page call a <Choose- -utility-here> routine to go out and update the user's password on the selected DBs.
I can do everything except get the DB update to work.
There's no daemon. This is intended to be an on-demand=20 utility. There's a central server/instance that has definitions to all the DBs in the TNSNAMES.ORA file. From this DB I harvest the user logins nightly, to build the list=20 to present to the user. I *know* I can connect, although to do the harvest I create a temporary database link, instead of using Java or whatever.
It's the silly step of changing the password. The problem is that the user may wait until after the p/w has expired, so they cannot log in. I found the OCINewPassword routine will do a password change even on a expired login. But ARG! This is the second (or is it third) method I've tried and they have all had one kind of issue or another.
Any more suggestions?
Thanks,
Mike
-----Original Message-----
From: Mladen Gogala [mailto:mladen_at_wangtrading.com]
Sent: Monday, February 23, 2004 12:21 PM
To: oracle-l_at_freelists.org
Subject: Re: Slightly OT: Java in the DB
Exactly what are you trying to do? For having a daemon (or demon,
for that matter) lurking in the darnkness of the central server and
resetting expired passwords, the daemon needs to maintain a permanent
connection with sufficient privileges to change any user's password,
typically, a dba connection. If your DBA doesn't use profiles, with=20
the idle time limitation, you can have a permanently connected process=20
which would change password as soon as it was signalled to him. The=20
question is: what would the password be changed to? There are strings
which are extremely hard tu guess (username, "qwerty", "password", =
"tiger")
and which would make your username secure. At one of my places of
work, I've witnessed the following story: a tech support expert leaves
a unix worsktation logged in, as root, and goes home at 6 PM, when =
cleaning=20
ladies entered the office. One of the cleaning ladies had a 14 years old
son which wanted to check the old joke with "rm -rf /". He found out=20
that it really does destroy everything on a unix system. Now, you are =
absent,
your password expires at 7 P.M. and there is an eager help desk person =
who
wants to test "drop tablescpace FIN_DATA including contents and =
datafiles=20
cascade constraints" that he or she has seen written somewhere. I'll =
leave=20
the rest of the story to you.
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ------_=_NextPart_001_01C3FAEE.CD7F8666 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2800.1226" name=3DGENERATOR> <STYLE> <!-- /* Font Definitions */ @font-face {font-family:Tahoma; panose-1:2 11 6 4 3 5 4 4 2 4;} @font-face {font-family:sans-serif; panose-1:0 0 0 0 0 0 0 0 0 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} p {margin-right:0in; margin-left:0in; font-size:12.0pt; font-family:"Times New Roman";} span.EmailStyle18 {font-family:Arial; color:navy;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </STYLE> </HEAD> <BODY lang=3DEN-US vLink=3Dpurple link=3Dblue> <DIV><SPAN class=3D614215615-24022004><FONT face=3D"Courier New" = color=3D#0000ff=20 size=3D2>I don't know...I'll have to try it and see.</FONT></SPAN></DIV> <DIV><SPAN class=3D614215615-24022004><FONT face=3D"Courier New" = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D614215615-24022004><FONT face=3D"Courier New" = color=3D#0000ff=20 size=3D2>Thanks for the tip.</FONT></SPAN></DIV> <DIV><SPAN class=3D614215615-24022004><FONT face=3D"Courier New" = color=3D#0000ff=20 size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3D614215615-24022004><FONT face=3D"Courier New" = color=3D#0000ff=20 size=3D2>Mike</FONT></SPAN></DIV> <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px"> <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B> Cary Millsap=20 [mailto:cary.millsap_at_hotsos.com]<BR><B>Sent:</B> Tuesday, February 24, = 2004=20 7:44 AM<BR><B>To:</B> oracle-l_at_freelists.org<BR><B>Subject:</B> RE: = RE:=20 Slightly OT: Java in the DB<BR><BR></FONT></DIV> <DIV class=3DSection1> <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial">Can someone = type the=20 following response into your form’s field?</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial"></SPAN></FONT> </P> <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial"> =Received on Tue Feb 24 2004 - 09:55:02 CST
=20
fake-password’ OR ‘x’=3D’x</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial"></SPAN></FONT> </P> <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial">That’s an example of=20 SQL injection. Type “sql injection” to google, and = you’ll get several thousand=20 more examples.</SPAN></FONT></P> <P class=3DMsoNormal><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial"></SPAN></FONT> </P> <DIV> <P><B><FONT face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial">Cary</SPAN></FONT></B><B><FONT=20 face=3DArial color=3Dnavy size=3D2><SPAN=20 style=3D"FONT-WEIGHT: bold; FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial">=20 Millsap</SPAN></FONT></B><FONT face=3DArial color=3Dnavy = size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: Arial"><BR>Hotsos=20 Enterprises, Ltd.<BR><A=20 = href=3D"http://www.hotsos.com">http://www.hotsos.com</A><BR></SPAN></FONT= ><EM><I><FONT=20 face=3D"Times New Roman" color=3Dnavy><SPAN style=3D"COLOR: = navy">Nullius in=20 verba</SPAN></FONT></I></EM><FONT face=3DArial color=3Dnavy = size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: navy; FONT-FAMILY: = Arial"><BR><BR>Upcoming=20 events:<BR>- <A = href=3D"http://www.hotsos.com/training/PD101.html">Performance=20 Diagnosis 101</A>: 2/24 San Diego, 3/23 Park City, 4/6 = Seattle<BR>- <A=20 href=3D"http://www.hotsos.com/events/symposium/2004">Hotsos Symposium = 2004</A>:=20 March 7–10 Dallas<BR>- Visit <A=20 href=3D"http://www.hotsos.com">www.hotsos.com</A> for schedule=20 details...</SPAN></FONT></P></DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3DTahoma = size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original=20 Message-----<BR><B><SPAN style=3D"FONT-WEIGHT: bold">From:</SPAN></B>=20 oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] = <B><SPAN=20 style=3D"FONT-WEIGHT: bold">On Behalf Of=20 </SPAN></B>ryan.gaffuri_at_cox.net<BR><B><SPAN=20 style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> Tuesday, February 24, = 2004 9:29=20 AM<BR><B><SPAN style=3D"FONT-WEIGHT: bold">To:</SPAN></B> = </SPAN></FONT><FONT=20 face=3DTahoma size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = Tahoma">oracle-l_at_freelists.org</SPAN></FONT><FONT=20 face=3DTahoma size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma"><BR><B><SPAN=20 style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> Re: RE: Slightly OT: = Java in the=20 DB</SPAN></FONT></P> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times = New Roman"=20 size=3D3><SPAN style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">No...each=20 user has to enter their own old password into = a</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">field on the=20 web form, then enter their new password. = If</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'">the = old=20 password is incorrect, the process *should* = throw</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'">an=20 error.</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times = New Roman"=20 size=3D3><SPAN style=3D"FONT-SIZE: = 12pt"></SPAN></FONT> </P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'">The = only way=20 Bob could change Susan's password is if he</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">knows the old=20 one. That never happens, does it? = ;)</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times = New Roman"=20 size=3D3><SPAN style=3D"FONT-SIZE: = 12pt"></SPAN></FONT> </P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'">But = that does=20 give me the idea of an administrator-type</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">function to=20 change another user's password, similar to</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'">a = DBA's use=20 of 'alter user...'.</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times = New Roman"=20 size=3D3><SPAN style=3D"FONT-SIZE: = 12pt"></SPAN></FONT> </P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier New'">And = I know I=20 am displaying my ignorance here, but what is</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">'SQL=20 Injection'?</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times = New Roman"=20 size=3D3><SPAN style=3D"FONT-SIZE: = 12pt"></SPAN></FONT> </P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">Cheers,</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">Mike</SPAN></FONT></P></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN-LEFT: 0.5in"><FONT face=3D"Times = New Roman"=20 size=3D3><SPAN style=3D"FONT-SIZE: = 12pt"></SPAN></FONT> </P></DIV> <BLOCKQUOTE style=3D"MARGIN-TOP: 5pt; MARGIN-BOTTOM: 5pt"> <P class=3DMsoNormal=20 style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: = 0in"><FONT=20 face=3DTahoma size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original=20 Message-----<BR><B><SPAN style=3D"FONT-WEIGHT: = bold">From:</SPAN></B>=20 Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]<BR><B><SPAN = style=3D"FONT-WEIGHT: bold">Sent:</SPAN></B> Monday, February 23, = 2004 5:52=20 PM<BR><B><SPAN style=3D"FONT-WEIGHT: bold">To:</SPAN></B>=20 oracle-l_at_freelists.org<BR><B><SPAN=20 style=3D"FONT-WEIGHT: bold">Subject:</SPAN></B> RE: Slightly OT: = Java in the=20 DB</SPAN></FONT></P> <P class=3DMsoNormal=20 style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: = 0in"><FONT=20 face=3D"Times New Roman" size=3D3><SPAN=20 style=3D"FONT-SIZE: 12pt"><BR></SPAN></FONT><FONT face=3Dsans-serif = size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif">I'm not a = security expert,=20 but it seems to me there are some </SPAN></FONT><BR><FONT = face=3Dsans-serif=20 size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif">exploits you=20 would need to take into consideration.</SPAN></FONT> <BR><BR><FONT=20 face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif">SQL Injection = comes to=20 mind.</SPAN></FONT> <BR><BR><FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif">Also, if 2+ users = have=20 expired passwords, do you have a</SPAN></FONT> <BR><FONT = face=3Dsans-serif=20 size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif">mechanism to=20 prevent user Bob (with an expired account )</SPAN></FONT> <BR><FONT=20 face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif">from changing = Susans=20 password ( also expired ) ?</SPAN></FONT> <BR><BR><FONT = face=3Dsans-serif=20 size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif">Are the=20 passwords generated and then mailed to the correct = user?</SPAN></FONT>=20 <BR><BR><FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif">Jared</SPAN></FONT>=20 <BR><FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif"><BR></SPAN></FONT><BR><BR></P> <TABLE class=3DMsoNormalTable style=3D"MARGIN-LEFT: 0.5in; WIDTH: = 100%"=20 cellPadding=3D0 width=3D"100%" border=3D0> <TBODY> <TR> <TD=20 style=3D"PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; = PADDING-BOTTOM: 0.75pt; PADDING-TOP: 0.75pt"=20 vAlign=3Dtop> <P class=3DMsoNormal><FONT face=3D"Times New Roman" = size=3D3><SPAN=20 style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P></TD> <TD=20 style=3D"PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; = PADDING-BOTTOM: 0.75pt; PADDING-TOP: 0.75pt"=20 vAlign=3Dtop> <P class=3DMsoNormal><B><FONT face=3Dsans-serif size=3D1><SPAN = style=3D"FONT-WEIGHT: bold; FONT-SIZE: 7.5pt; FONT-FAMILY: = sans-serif">"Vergara,=20 Michael (TEM)" <mvergara_at_guidant.com></SPAN></FONT></B>=20 <BR><FONT face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif">Sent by:=20 oracle-l-bounce_at_freelists.org</SPAN></FONT> </P> <P><FONT face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: = sans-serif"> 02/23/2004=20 03:20 PM</SPAN></FONT> <BR><FONT face=3Dsans-serif = size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif"> </SPAN></FONT><FONT=20 face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif">Please = respond to=20 oracle-l</SPAN></FONT> </P></TD> <TD=20 style=3D"PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; = PADDING-BOTTOM: 0.75pt; PADDING-TOP: 0.75pt"=20 vAlign=3Dtop> <P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: Arial"> = =20 </SPAN></FONT><BR><FONT face=3Dsans-serif = size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"> = =20 To: =20 <oracle-l_at_freelists.org></SPAN></FONT> <BR><FONT=20 face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"> = =20 cc: </SPAN></FONT> <BR><FONT = face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"> = =20 Subject: RE: Slightly OT: = Java in=20 the DB</SPAN></FONT></P></TD></TR></TBODY></TABLE> <P class=3DMsoNormal=20 style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: = 0in"><FONT=20 face=3D"Times New Roman" size=3D3><SPAN=20 style=3D"FONT-SIZE: 12pt"><BR><BR><BR></SPAN></FONT><FONT = face=3D"Courier New"=20 color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">Ahhh...but=20 that's the trick! The user's only authentication = is</SPAN></FONT>=20 <BR><FONT face=3D"Courier New" color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">to the=20 admin database. Once the user clicks on 'Submit' = I</SPAN></FONT>=20 <BR><FONT face=3D"Courier New" color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">was=20 intending to hand it off to a PL/SQL module owned by = an</SPAN></FONT>=20 <BR><FONT face=3D"Courier New" color=3Dblue size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; COLOR: blue; FONT-FAMILY: 'Courier = New'">admin user.=20 The 'real' user never sees that part.</SPAN></FONT> <BR> = <BR><FONT face=3DTahoma size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: Tahoma">-----Original=20 Message-----<B><SPAN style=3D"FONT-WEIGHT: = bold"><BR>From:</SPAN></B>=20 Jared.Still_at_radisys.com [mailto:Jared.Still_at_radisys.com]<B><SPAN=20 style=3D"FONT-WEIGHT: bold"><BR>Sent:</SPAN></B> Monday, February = 23, 2004=20 3:09 PM<B><SPAN style=3D"FONT-WEIGHT: bold"><BR>To:</SPAN></B>=20 oracle-l_at_freelists.org<B><SPAN=20 style=3D"FONT-WEIGHT: bold"><BR>Subject:</SPAN></B> RE: Slightly OT: = Java in=20 the DB<BR></SPAN></FONT><BR><FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif"><BR>Creating an = app that=20 allows users to connect to the database as a</SPAN></FONT> <FONT=20 face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif"><BR>DBA to change = a=20 passwords sounds like it have good potential</SPAN></FONT> <FONT=20 face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif"><BR>for security=20 holes.</SPAN></FONT> <BR><FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif"><BR>You sure you = want to do=20 this?</SPAN></FONT> <BR><FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: sans-serif"><BR>How often = does a user=20 with an expired account really need to do this?</SPAN></FONT> = <BR><FONT=20 face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif"><BR>Jared</SPAN></FONT>=20 <BR><BR></P> <TABLE class=3DMsoNormalTable style=3D"MARGIN-LEFT: 0.5in; WIDTH: = 100%"=20 cellPadding=3D0 width=3D"100%" border=3D0> <TBODY> <TR> <TD=20 style=3D"PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; = PADDING-BOTTOM: 0.75pt; WIDTH: 2.02%; PADDING-TOP: 0.75pt"=20 vAlign=3Dtop width=3D"2%"> <P class=3DMsoNormal><FONT face=3D"Times New Roman" = size=3D3><SPAN=20 style=3D"FONT-SIZE: 12pt"></SPAN></FONT> </P></TD> <TD=20 style=3D"PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; = PADDING-BOTTOM: 0.75pt; WIDTH: 54.34%; PADDING-TOP: 0.75pt"=20 vAlign=3Dtop width=3D"54%"> <P class=3DMsoNormal><B><FONT face=3Dsans-serif size=3D1><SPAN = style=3D"FONT-WEIGHT: bold; FONT-SIZE: 7.5pt; FONT-FAMILY: = sans-serif">"Vergara,=20 Michael (TEM)" <mvergara_at_guidant.com></SPAN></FONT></B> = <FONT=20 face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"><BR>Sent = by:=20 oracle-l-bounce_at_freelists.org</SPAN></FONT> </P> <P><FONT face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: = sans-serif"> 02/23/2004=20 01:11 PM</SPAN></FONT> <FONT face=3Dsans-serif size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: = sans-serif"><BR></SPAN></FONT><FONT=20 face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif">Please = respond to=20 oracle-l</SPAN></FONT> </P></TD> <TD=20 style=3D"PADDING-RIGHT: 0.75pt; PADDING-LEFT: 0.75pt; = PADDING-BOTTOM: 0.75pt; WIDTH: 42.26%; PADDING-TOP: 0.75pt"=20 vAlign=3Dtop width=3D"42%"> <P class=3DMsoNormal><FONT face=3DArial size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: Arial"> = =20 </SPAN></FONT><FONT face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"><BR> = =20 To: =20 <oracle-l_at_freelists.org></SPAN></FONT> <FONT=20 face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"><BR> = =20 cc: </SPAN></FONT> = <FONT=20 face=3Dsans-serif size=3D1><SPAN=20 style=3D"FONT-SIZE: 7.5pt; FONT-FAMILY: sans-serif"><BR> = =20 Subject: RE: Slightly = OT: Java=20 in the DB</SPAN></FONT></P></TD></TR></TBODY></TABLE> <P class=3DMsoNormal=20 style=3D"MARGIN-BOTTOM: 12pt; MARGIN-LEFT: 0.5in; MARGIN-RIGHT: = 0in"><FONT=20 face=3D"Times New Roman" size=3D3><SPAN=20 style=3D"FONT-SIZE: 12pt"><BR><BR><BR></SPAN></FONT><FONT = face=3D"Courier New"=20 size=3D2><SPAN style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier = New'"><BR>What I=20 am trying to do seems so simple that I still cannot <BR>believe I'm = not done=20 yet!<BR><BR>I want to build a web page where a 'normal'=20 (non-privileged)<BR>user can go, enter his/her login, see a list of = the=20 DB's<BR>where he/she has an account, enter a new password, click=20 a<BR>checkbox (or -boxes), and have the web page call a=20 <Choose-<BR>the-utility-here> routine to go out and update the = user's<BR>password on the selected DBs.<BR><BR>I can do everything = except=20 get the DB update to work.<BR><BR>There's no daemon. This is = intended=20 to be an on-demand <BR>utility. There's a central = server/instance that=20 has<BR>definitions to all the DBs in the TNSNAMES.ORA file.=20 From<BR>this DB I harvest the user logins nightly, to build = the=20 list</SPAN></FONT> <BR><FONT face=3D"Courier New" size=3D2><SPAN=20 style=3D"FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">to present to = the user.=20 I *know* I can connect, although to<BR>do the harvest I create = a=20 temporary database link, instead of<BR>using Java or = whatever.<BR><BR>It's=20 the silly step of changing the password. The problem = is<BR>that the=20 user may wait until after the p/w has expired, so they<BR>cannot log = in.=20 I found the OCINewPassword routine will do a<BR>password = change even=20 on a expired login. But ARG! This is<BR>the second (or = is it=20 third) method I've tried and they have all<BR>had one kind of issue = or=20 another.<BR><BR>Any more=20 suggestions?<BR><BR>Thanks,<BR>Mike<BR><BR><BR>-----Original=20 Message-----<BR>From: Mladen Gogala = [mailto:mladen_at_wangtrading.com]<BR>Sent:=20 Monday, February 23, 2004 12:21 PM<BR>To: = oracle-l_at_freelists.org<BR>Subject:=20 Re: Slightly OT: Java in the DB<BR><BR><BR>Exactly what are you = trying to=20 do? For having a daemon (or demon,<BR>for that matter) lurking in = the=20 darnkness of the central server and<BR>resetting expired passwords, = the=20 daemon needs to maintain a permanent<BR>connection with sufficient=20 privileges to change any user's password,<BR>typically, a dba = connection. If=20 your DBA doesn't use profiles, with <BR>the idle time limitation, = you can=20 have a permanently connected process <BR>which would change password = as soon=20 as it was signalled to him. The <BR>question is: what would the = password be=20 changed to? There are strings<BR>which are extremely hard tu guess=20 (username, "qwerty", "password", "tiger")<BR>and which would make = your=20 username secure. At one of my places of<BR>work, I've witnessed the=20 following story: a tech support expert leaves<BR>a unix worsktation = logged=20 in, as root, and goes home at 6 PM, when cleaning <BR>ladies entered = the=20 office. One of the cleaning ladies had a 14 years old<BR>son which = wanted to=20 check the old joke with "rm -rf /". He found out <BR>that it = really=20 does destroy everything on a unix system. Now, you are = absent,<BR>your=20 password expires at 7 P.M. and there is an eager help desk person=20 who<BR>wants to test "drop tablescpace FIN_DATA including contents = and=20 datafiles <BR>cascade constraints" that he or she has seen written=20 somewhere. I'll leave <BR>the rest of the story to=20 = you.<BR><BR>-------------------------------------------------------------= ---<BR>Please=20 see the official ORACLE-L FAQ:=20 = http://www.orafaq.com<BR>------------------------------------------------= ----------------<BR>To=20 unsubscribe send email to: = oracle-l-request_at_freelists.org<BR>put=20 'unsubscribe' in the subject line.<BR>--<BR>Archives are at=20 http://www.freelists.org/archives/oracle-l/<BR>FAQ is at=20 = http://www.freelists.org/help/fom-serve/cache/1.html<BR>-----------------= ------------------------------------------------</SPAN></FONT><BR><BR><BR= ></P></BLOCKQUOTE></DIV></BLOCKQUOTE></BODY></HTML> ------_=_NextPart_001_01C3FAEE.CD7F8666-- ------=_NextPartTM-000-f0dabbf0-18d7-4e12-8b5f-a902304fb768-- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------
 |
 |