Jdbc security control

Similar Messages

• System and security control panel

  Could someone with a W520 take a screenshot of the lenovo apps in their "system and security" section of control panel please. I am doing a ground up install from bare windows 7 to get rid of the preloaded SQL server 2005 and adding back the programe I want.
  Just want to seee what came preloaded.
  Thanks

  njb,
  Why not just run the ThinkVantage System Update and let it install as usual. You can also "un-check" those drivers that you don't want to install.
  *Non Lenovo employee*
  I have a Y2P (i5) ... Feel free to ping me if you want me to test some applications with your Y2P if you have the same model. I don't mind keep doing recovery on it if needed .... =)

• Oracle Security - Controlling the 'alter user' privilege

  Hi,
  1. DB 10.1.0.5 and 10.2.0.3
  2. "Admin User" needs to be able to change some users passwords in database.
  3. Create user adminuser - grant alter user to adminuser.
  4. DBAs will grant "approle" role to list of required users. DBAs will maintain control of who gets this role.
  4. Create system trigger on alter database - will prevent "adminuser" from changing passwords for accounts not authorized - Script does not fire for DBAs and anyone changing their own password.
  The trigger works as intended - the "adminuser" account can only change the specific set of users.
  Question: We've discovered that the "adminuser" can also use the "alter user" privilege to change default tablespace and tablespace quota. User should only be able to change password.
  Anyone have ideas on adding to the trigger to make sure the "adminuser" is only altering the password?
  I am playing with the ora_is_alter_column system event, thinking that maybe the password column in user$ would be changed but so far I can't get this to work: Here is my trigger --
  CREATE OR REPLACE TRIGGER SYS.PASSWORD_CONTROL AFTER ALTER ON DATABASE
  DECLARE
  DBACHK varchar2(50);
  USRCHK varchar2(50);
  BEGIN
  BEGIN
  -- Ensure users can change their own passwords --
  IF
  ora_login_user = ora_dict_obj_name
  THEN
  RETURN;
  ELSE
  -- Do not apply trigger to DBA group --
  select grantee into DBACHK from dba_role_privs where granted_role='DBA'
  and grantee = ora_login_user;
  IF
  DBACHK = ora_login_user
  THEN
  RETURN;
  END IF;
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  NULL;
  END;
  BEGIN
  select grantee into USRCHK from dba_role_privs where
  granted_role='DISCUSR' and grantee = ora_dict_obj_name;
  IF
  ora_dict_obj_type = 'USER'
  and ora_dict_obj_name = USRCHK
  ---- Need to check that only the password is being change -- the line below does not work
  and ora_is_alter_column('PASSWORD') = TRUE
  THEN
  RETURN;
  ELSE
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END IF;
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  RAISE_APPLICATION_ERROR(-20003,
  'You are not allowed to alter user.');
  END;
  END;

  user602453 wrote:
  Ed, thank you for your reply. But, let me explain in more detail.
  More detail is always helpful. ;-)
  >
  A specific user has been assigned as the application administrator. This admininstrator is responsible for reseting application user passwords. The DBA (me) recognizes the DB security issues so I am trying to craft a solution that will allow the application administrator the ability to change only the password of the application users.
  I see that this may be out your hands, but I'd still question the wisdom of having an apps administrator being the one to change user passwords. Especially if that were a model where the users couldn't change their own passwords. I might accept it if the app admin were acting more of a helper to a clueless user.
  Since the only way to change user passwords is to grant the 'alter user' privilege I need a system trigger to keep the user from changing non-application user passwords. Also, because I support nearly 100 production databases that support about 35 different applications I need a solution that can apply to multiple databases. I've been assured that there will only be one administrator charged with resetting passwords.
  So,
  Given those requirements, I have this trigger that will allow the the specific administrator to change the password of a specific set of user while not impacting DBAs or people wanting to change their own password. The way I've implemented this is to create a "dummy" role and assigning the role to the application user. The trigger will allow the administrator to change the password only if the user has the role assigned. The role has no privileges, it is just a way to "mark" the user as an application user. The administrator cannot grant this "dummy" role, only the DBA can.
  Hope that clears things up.I still see another problem in that it still comes back to the dba to create the apps user in the first place, and to assign that dummy role to the user. Also, I'd hope that this proposed apps admin user is a role assigned to a real user. If not, as I mentioned before, you have no real accountability to who is using that account. Simply saying "it shall not be shared", even if written in corporate policy, won't secure it, and you won't be able to trace it. Well, you could turn on auditing and capture the OS userid in the audit log.

• ChaRM security control on action

  Hi,
  In the  correction process, we have Developer to set a correction into 'in development' status & have Change Manager to set this correction into 'to be tested' status. There are two actions between status 'in development' & to be tested'. They are 'release transport requests' & 'pass to test'. However, security is not able to control down to the action level. It is only able to control the status level (with the authorization code to each of the status).
  Status 'in development'
                     Release Transport Request
                     Pass To Test              
  Status 'to be tested'
  So, we have a situation that a developer has access to set 'in development 'that allow them to create transport & tasks; however, they also have access to Release Transport Request. This is problematic due to our auto schedule import (every 15 minutes) from dev to qa environment.
  It appeared that the authorization will control the action leading to the status change - action to perform 'pass to test' will fail due to status change.
  This is standard SAP out of box correction flow. How was intended to be used?
  Thanks
  Kalven

  Hi,
  Thanks for sharing Note 1002541 - Extended authorization checks: Single
  tasks.
  According to the note, we have applied the following:
  Object Authorization /TMWFLOW/D (Task in Development Systems)
  --> Authorization field: /TWMFLOW/T
  --> Value: not to have 3000 (Release Transport Request)
  However, it still does not restrict access on "Release Transport
  Request" action
  Does anyone able to restrict the action of Release Transport Request under In Developement status?
  Thanks,
  Kalven

• Oracle 9.2 JDBC Security Issue

  I cannot establish an Oracle connection using Oracle 9.2 JDBC in an applet (linking against classes12.zip or classes12.jar).
  An application version of that applet works fine: the connection is established and I can select, insert, call PL/SQL procedures, etc...
  The applet version, however, fails to connect, and raise a Security exception with the following message:
  "java.util.PropertyPermission oracle.jserver.version read".
  Needless to say, the applet and the database are on the same server.
  Also, the security exception is not raised if I link my code against either classes111.zip or classes12.zip from an old Oracle 8.1.6 release: the applet connects OK.
  As I am currently developing an upgrade of this old Oracle 8.1.6 release to Oracle 9.2, I wish I make profit of the improved features found in your new JDBC releases.
  Do you have any idea on how to fix the problem ?
  Note: I am using Oracle 9.2 developer release for MAC OS X, which otherwise works perfectly well for my purposes.
  Thank you

  Hello,
  Can you provide a test case for such behaviour? And the versions of JDK used in those samples ....
  It would be easier if we isolate java 1.5 issues from ojdbc issues.
  Rick B.

• Security Control on Payment Medium File

  Hi! Experts,
  Currently, our Auditor has a question :
  Data Medium Exchange file is first created for Vendor/Employee payments. Before Finance/HR staffs transmit the files to the Bank, how to make sure the DME file is not append/modified (especially BASIS/DBA/TECHNICAL people have Super access, they can use SQL to modify the content of the file, to delete the change log...)?
  Would you mind sharing your control process with me ? Thanks.

  Hi,
  Please check DME file encryption tread for your needful:
  DME file encryption
  Regards,
  Santosh

• JDBC security in JSP

  Hi,
  I would like to clear a String from possible hostile SQL-commands that might exist in the String. The reason is that I get login and pw from the user (with request.getParameter) and then use that text in order to search my database for matches. So how do I get rid of all SQL-commands in the string?
  It's a rather serious security-breach...

  True, you can never be too security concious where a webapp is concerned but PreparedStatement's help:
  PreparedStatement s = con.prepareStatement("SELECT gid FROM users WHERE id=? AND pw=?");
  s.setString(1,id);
  s.setString(2,pw);
  s.executeUpdate();
  And then a client passes:
  blub OR 1=1
  fuff OR 2=2
  will be executed as:
  SELECT gid FROM users WHERE id='blub OR 1=1' AND pw='fuff OR 2=2'
  ..as the setString() method also adds the single quotes.
  However what you point out may be a possibility (?) for setInt() method so I guess we should be careful when using 2 setInt()'s in the same call..
  HTH
  Mike.

• PDF Security Control

  In Photoshop I can create PDF presentations that are copy protected. Is there anyway to do this in Lightroom?

  No, not that I know of.
  Alexander.
  Canon EOS 400D (aka. XTi) • 20" iMac Intel • 12" PowerBook G4 • OS X 10.4 • LR 1 • PSE 4

• How to handle transaction control--- in the dbms query or in JDBC? or BOTH?

  Hi all,
  we have a servlet application which do insert, update to a few sybase tables. so far we don't have any transaction management control in either store procedure or in JDBC call. i like to know where should we enforce this control logic? in both place or either one is enough?
  thanks!!

  according to your answer, is it safe to say that we
  should NOT
  handle transaction control in both query and JDBC
  call? i am on the side of JDBC
  program control. However our manager feels that if we
  handle it in two place, we could be more error-proof.
  i don't know how to convince him that only one place
  could make it work. Double your rollbacks double your fun! Odd that a manager is getting involved at this level...
  Providing transaction control at both places, as a rule makes absolutely no sense at all (to me). I actually believe that this would be far more error-prone (not error-proof). It's really a logistics issue. When you are working on the Java code, you won't have the stored procedure(s) code right there. While you may design it masterfully at first, as maintenance occurs, the mastery can easily be lost as assumptions are made on when and where commit or rollback processing is going to take place. The end result would be a system that could easily corrupt the logical integrity of the database.
  If you have to make a decision up front, and you believe performance will ultimately be a concern, then your decision should be to handle transaction management within the stored procedure(s). However, this decision will make the stored procedures far more complex than what the DBA or application staff is familiar with. You would also have to take some care to release resources as appropriate within the Java code.
  If you decide to manage transactions within JDBC, it is possible that you will have to move a portion of transaction managment to one or two of the stored procedures. This would be a 'fix' for a poorly performing functionality, and you would simply take care to limit this as much as possible.
  I wish I could guide you specifically, but I'm working at 20,000 feet related to your specific application needs.

• Activex view/print control downloads

  Currently running SAP Business Objects Enterprise XI R2 in a production environment. We have installed and are testing Enterprise 3.1 and will all likelihood will move this new version into production this upcoming weekend (7/17) and shut down XI R2.
  I would love it if someone could PLEASE explain what triggers the whole activex view and print control downloads. This has to be the most frustrating thing with BO product.
  Here's the deal. Sometimes it prompts for download, sometimes it does not. Yes, all the activex security controls and plug-in settings are activated properly (ie: prompting for activex download are either enabled or set to prompt). We have a fair number of users who do NOT have local admin rights on their PC's so we were worried we'd have to figure out how to push out the controls. Yet, in testing 3 separate machines (using the new 3.1 release), none of them got prompted for downloads and they were still able to view and/or print reports using activex. I was led to believe that with the new release (3.1), it would be like viewing or printing for the first time and download/install of activex controls would be required. Is that bad information? Does it use the 11.5 activex add-on's that are already installed for current production system instead?
  Bottom line, I have seen it prompt on some machines and not on others. All machines are actively using the XI R2 production system also. I just have them use a differnt link to test the 3.1 release. So, what triggers the request for download? Why do some users get the prompt and others don't?

  Why are you doing this with BO4 just released?
  the issue of active X depends on
  the version of IE
  the settings of download ActiveX
  IF the Active X download have already happened
  some of these may already be on web sites used have already downloaded (nothing to do with CR)

• Does anyone have any information regarding securing data.

  I want to secure data to assure that each department can only view their own PO's, req's, invoices and payments. Can anyone provide or direct me to the documentation on this? Thank you for any help.

  Hi,
  You can try using security hierarchy or other appropriate document security control, but I'm afraid it only works for purchasing document
  One way is to separate the OU, but that would take an implementation and maintenance effort
  Gerry

• How to control the download permissions in UCM.11g

  In UCM ,About the download file permissions.
  For example,project manager can download ,Ordinary employees can't download.
  How to realize the function.

  If I got you requirement, I think you are looking for something outside a DMS system (like UCM).
  DMS, as backend systems, can only control access to the file. Once a user has at least 'R'(Read) access, the file is provided to a front-end client application, being it a web browser for web-viewable files, or desktop apps for native files. There, the backend systems have no controls. Oracle has a solution to provide security control over content also at client machines. It is called Information Rights Management (IRM). However, see this support note concerning this product: https://support.oracle.com/epmos/faces/DocumentDisplay?id=1407453.1

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• Wireless Security Solution

  I have heard a lot of talk about Wireless Security. And have at least a working knowledge of the two possible solutions, VPN and EAP. However, how to choose the best possible solution? VPN is expensive and still leaves me vulnerable to Impersonation attacks. EAP is cheaper but nonetheless leaves me vulnerable to Brute Force attacks. Of course the chances of someone walking into our building(s) and stealing a laptop with VPN software on it are probably greater than any of the aforementioned threats. I guess what I'm looking for is a "voice from above" to guide me on which solution I can take to my superiors and say "This is what we are going to do" and why solution X is better than solution Y.
  Thanks!
  STU...

  Stu,
  VPN vs WLAN: To what degree do you want to geographically control access? If WLAN is
  attractive because you’re looking at a LAN bridging solution, then VPN is over-kill. But if the distances are great (connecting from home) WLAN is out. In WLAN terms how big is your proposed "cell" (800m) or is the reach of users measured in miles? I can share with you an outline of WAP security controls for WLAN if what you’re leaning toward is a LAN-bridging solution. That should help you get your arms around security for a Cisco-centric WLAN solution. I do security 100% of the time, and I just finished due-diligence for WAP WLAN bridging.
  -Mark

• Security mechanism

  Hi Jhs team:
  We are planning using "oracle single sign-on" with "programmatic Dynamic Role Based Authorization" as our security control mechanism,
  The example in jhs_tutorial_3.pdf using Struts-Uix architecture and through ValidateLoginUser Action to wrapped Jhsuser objct,
  so, corresponding to our architecture , if we using SSO what is the best practice to put these code about wrapped Jhsuser object ?

  Ting Rung,
  See my reply on your other post about getting the username in an entity object.
  Steven Davelaar.
  JHeadstart Team.