Is all these correct? Password mismatch problem~~
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   rume_box
Posted On:   Thursday, October 3, 2002 07:10 PM

Hi, I'm currently in the development of my company intranet using JSP. Quite a beginneer though. I have already setup a connection pool using jdbc:oracle:thin. When the server start, connections are available to the intranet users. The connection pool was setup through my own user account id and password in Oracle sys.user$ table. Right now, I wish to do a login page. A user must proceed to login first before entering the intranet. All the users accounts are being stored in sys.user$ table of Oracle. When a user enters his username and password, a servlet will do the check by retrieving all the username and password from sys.user$ and try to match them. However, the password in sys.user$ is in a en   More>>

Hi,

I'm currently in the development of my company intranet using JSP. Quite a beginneer though. I have already setup a
connection pool using jdbc:oracle:thin. When the server start, connections are available to the intranet users.

The connection pool was setup through my own user account id and password in Oracle sys.user$ table.



Right now, I wish to do a login page. A user must proceed to login first before entering the intranet. All the users accounts are being stored in sys.user$ table of Oracle. When a user enters his username and password, a servlet will do the check by retrieving all the username and password from sys.user$ and try to match them.

However, the password in sys.user$ is in a encrypted form.

example:

PASSWORD

------------------------------

7EF2862F16A1DD88



Hence, the password will not be match, as 7EF2862F16A1DD88 is return to the servlet instead of the orginal password.


Am I doing the correct thing?

How do I solve this? It's urgent... Thanks in advance...

   <<Less

Re: Is all these correct? Password mismatch problem~~

Posted By:   Christopher_Koenigsberg  
Posted On:   Friday, October 4, 2002 07:03 AM

Am I doing the correct thing?



No.



Are you sure you want a one-to-one correspondence, between database user accounts, and Web user accounts?



A connection pool, by definition, only uses one single database user account. Are you going to then have a separate connection pool for each of your users? (obviously not)



Oracle's own password encryption and storage is intended for comparing internally by Oracle's own login mechanism, when someone logs in to the database as a db user. I don't think (I could be wrong) it's intended as an API where you would externally validate entered passwords yourself, against the encrypted ones that Oracle maintains internally.



But, if you have to validate entered passwords against an encrypted version, you'll have to perform the encryption yourself and compare the result. (I just don't think you can do this with Oracle, unless you actually take the entered password and try logging in to the database as the db user, but then you've got another db connection, one for each Web login, no connection pooling, etc. and you might as well just let everybody run SQLPlus themselves or something...)



Generally Web applications have their own set of Web user accounts. These are maintained in some database tables but are not the same as database user accounts. You store the Web passwords in your own table with your own encryption scheme so you can control it for authentication, for validating entered passwords.

About | Sitemap | Contact