Re: JDBC connection using externally identified user
- From: Dan Norris <dannorris@xxxxxxxxxxxxx>
- To: pjhoraclel@xxxxxxxxx, oracle-l <oracle-l@xxxxxxxxxxxxx>
- Date: Fri, 26 Oct 2007 05:28:23 -0700 (PDT)
remote_os_authent=false should be a hidden parameter IMHO. When
remote_os_authent=true, consider this scenario:
1. You set this parameter in your DB
2. I create a user on my desktop (or, if I lack privs on my desktop, install
VMWare Server, install a guest OS and create a user in that) that matches the
OS-authenticated username in your DB
3. I can login to your DB with that OS-authenticated user even though I'm not
on your application server or DB server.
remote_os_authent should be banned forever. Even a non-hacker like me can
figure out how to exploit it, so it must be easy!
So, it may work, but I suggest that you don't want it to work since the
consequences may be great.
Dan
----- Original Message ----
From: Peter Hitchman <pjhoraclel@xxxxxxxxx>
To: oracle-l <oracle-l@xxxxxxxxxxxxx>
Sent: Friday, October 26, 2007 4:13:46 AM
Subject: Re: JDBC connection using externally identified user
Hi,
I hit the same issue and after I allowed the database to allow remote OS
authentication this worked in 10.2.0.3:
class testcon{
public static void main(String args[]) throws SQLException {
OracleDataSource ods = new OracleDataSource();
String url = "jdbc:oracle:oci:@<YOUR_SID>";
ods.setURL(url);
ods.setUser("");
ods.setPassword
("");
.
.
.}
Using the DriverManager it can look like this:
.
.
DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver());
Connection conn=DriverManager.getConnection
("jdbc:oracle:oci:/@<YOUR_SID>");
.
.
Regards
Pete
Other related posts:
