473,735 Members | 7,561 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Clear text passwords and Oracle - arrrrrrgh - please help!


I am working on a mobile application that consists of a number of handheld
scanners, an Xml Web service and an Oracle 9i database in a highly secure
environment. The .Net Compact Framework application running on the scanners
executes Web service methods, which in turn execute Oracle database
functions. The Web service and the Oracle database are running on separate
servers. The Web service uses the Microsoft OLE DB driver for Oracle.

The Web.config file contains a connection string in the <Appsettings>
section that includes the Oracle username and password. The application
simply reads this connection string and uses it internally to create a
connection object. The idea is that we can't afford to expose these
credentials in the connection string, because the firewall is reporting a
security violation when the application runs.

I am wondering what the best alternative is, if any. Preventing the username
and password travelling down the wire from the Web server to the Oracle
server is the main requirement, and preferably the DBA will have the option
of changing the Oracle account details (ie a different username and
password) at any time, therefore it would be preferable not to have the
ASP.Net worker process (ASPNET) as the Oracle user. I'm assuming that this
means that they want SQL Authentication and it therefore rules out Windows
Authentication. Please let me know if I *can* still use Windows
Authentication under these circumstances.

I have played with the idea of using Impersonation but I understand that it
cannot be used if the Oracle server is on a separate box to the Web server
and also that connection pooling will be affected, which we can't afford.

Can anyone please let me know if I can use either Windows Authentication or
a Trusted Connection to provide a solution in these circumstances, or
anything else!

If I can use Windows Authentication with a Web.config entry <authenticati on
mode="Windows" >, how can I allow the DBA to change the username/password,
if indeed I can have a user other than ASPNET, without having a major impact
on the system?

If I can use a Trusted connection with a connection string something like
"Data Source=MyOracle DB;Integrated Security=yes;" where do I specify the
Oracle username/password?

Preferably there will be no need for a code change if the DBA decides to
change the Oracle username.

Are there any alternatives, such as encryption, programmatic security or
other forms of authentication?

Please help, I am getting desperate! Many thanks.

Nov 19 '05 #1
0 1711

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: cppdev | last post by:
Hi All! I want to clear the string contents from sensitive information such as passwords, and etc. It's always a case that password will appear as string at some point or another. And i feel uneasy leaving it hanging in memory indefinitely (especially in case when string is Interned). So at leats for the case when string is not interned i propose:
by: ecPunk | last post by:
Hi, We have a web application where we want a user to be able to change his/her password if the password has expired but we are unable to do this with ASP (at the moment) because we can't log the user into the database without a valid password. We do not want to store any "admin" user info to connect to the database to change the users password for security issues. Does anyone have any ideas of how we could go about doing this? Any...
by: rishka | last post by:
Rishka Mar 17, 5:40 am show options Newsgroups: comp.databases.oracle.tools From: "Rishka" <ris...@webmail.co.za> - Find messages by this author Date: 17 Mar 2005 05:40:45 -0800 Local: Thurs, Mar 17 2005 5:40 am Subject: Read Text file into Oracle Reports Reply | Reply to Author | Forward | Print | Individual Message | Show original | Remove | Report Abuse
by: John Hall | last post by:
We are using Visual Web Developer 2005 Express and the ASP.NET administration tool to create users. After we implemented <asp:passwordrecovery ... /> new passwords are emailed to the user instead of the original one. I guess if we save them in clear text instead of hashed, we can be emailed the original password. Question: How to have the ASP.NET administration tool and the asp:createUserWizard control to use only clear text passwords so we...
by: JMG | last post by:
Hi All, I have no idea if this is the correct place to post this question, but I'm hoping so :). My problem is that I have a text file containing 5 sets of passwords on a single line space delimited line, which is used to change passwords on a daily basis via DOS batch files (don't get me started on why we have to do it this way, we just do...>:) ) ie Monpassword Tuepassword Wedpassword Thurpassword Fripassword in passwords.txt
by: ldpfrog | last post by:
This is my first tutorial, so if there are any mistakes please forgive me =). This will show you a very simple way to read your Login information from an outside text file. What you need: 1. Add a new "Login Dialog" form to your project. 2. Completely erase the code inside of it, but keep the interface. 3. Create a text file listing your usernames and passwords one line after the other. Your text file should look like this (without...
by: postmanpat | last post by:
i have to create a login form that validates the users and passwords from a text file. I have another function that can add new users and passwords by writing to a test file split by a delimiter. But i dont know how to read from the text file and validates one user one by one when i key in in the login form. the example format of the text file: peter|123 jane|789 hunter|007...left is the username and password is on the right. i dont need sql...
by: Ruslan A Dautkhanov | last post by:
Hello ! I'm about to install O9i on FreeBSD box. uname -a: FreeBSD stat2.scn.ru 5.2.1-RELEASE-p3 FreeBSD 5.2.1-RELEASE-p3 #2: Fri Apr 23 19:19:43 KRAST 2004 rd@stat2.scn.ru:/usr/src/sys/i386/compile/RDSTAT2-ORACLE i386 uname -a under oracle user : Linux stat2.scn.ru 2.4.2 FreeBSD 5.2.1-RELEASE-p3 #2: Fri Apr 23 19:19:43 KRAST 2004 i686 unknown
by: John | last post by:
Hi. I have a number of batch jobs that are ran nightly on our Windows 2000 based Oracle 8.1.7 (soon to be 9i) server. I have these designed just right, so the Windows Scheduled Tasks runs them and then a parser goes through the output and, in case of errors, sends me a page... The database is our financial system which requires users to login using Oracle based user ID / Password.
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.