[Babase] Re: Ranker security problems

Lacey Maryott lacey.maryott at duke.edu
Mon Sep 24 08:34:46 EDT 2007


Hi all,
   I tested ranker this morning, and this is the message I got.  I 
removed the 'vpn' and checked the SSL box, and used my papio user info.  
No Dice :( Sorry!

"Fatal: role '*my username*' does not exist"

Lacey

Jun Yang wrote:
> Hi Karl:
>
> Thanks!  I am currently traveling (returning on October 1), but
> managed to find an Internet connection to make the changes you
> suggested below. (BTW, the code on papio is at
> /home/junyang/ranker/BabaseRanker-1.0/)
>
> The version has now been deployed, but I cannot test it.  Lacey, can
> you give the new version a try?
>
> Thanks,
>
> --- Jun Y.
>
> On 9/20/07, Karl O. Pinc <kop at meme.com> wrote:
>   
>> On 09/02/2007 06:05:19 PM, Karl O. Pinc wrote:
>>     
>>> On 08/31/2007 08:20:05 PM, Jun Yang wrote:
>>>       
>>>> How are we going to resolve this problem?  This doesn't seem to be
>>>> something I could fix in the ranker code---sounds more like a setup
>>>> issue on papio?
>>>>         
>>> Papio is setup for the simplest possible SSL connection,
>>> no certificate at all is required.
>>>       
>> The problem is that the jdbc library used by the ranker
>> assumes the use of a certificate.  For how to prevent this see:
>>
>> Using SSL without Certificate Validation
>> http://jdbc.postgresql.org/documentation/81/ssl-client.html#nonvalidating
>>
>> Appended is a patch to BabaseRanker/babase/ranker/Database.java.
>> This probably fixes the problem, but I didn't test it.
>> In fact I've not yet figured out how to compile it or
>> put it  in a jar file, so there could be something grossly wrong.
>>
>> Something that's surely wrong is that the code is from Tyler's
>> old ranker version found at:
>> https://papio.biology.duke.edu/babasewiki/RankerProgram?action=AttachFile
>> in the currentbabase.zip file.
>>
>> I think it'd be a good idea to put the new code on papio somewhere.
>>
>> Note that the patch has tabs in it, and these will probably
>> be munged by inclusion in an email.
>>
>> Karl <kop at meme.com>
>> Free Software:  "You don't pay back, you pay forward."
>>                   -- Robert A. Heinlein
>>
>> ----------<snip>----------------
>>
>> --- Database.java       2007-05-17 00:30:42.000000000 -0500
>> +++ Database.java.new   2007-09-20 17:03:35.000000000 -0500
>> @@ -63,7 +63,14 @@
>>          * @throws SQLException if it cannot connect
>>          */
>>         public void connect(String user, String pass, String db) throws
>> SQLException {
>> -               myConnection =
>> DriverManager.getConnection("jdbc:postgresql://172.16.3.1:5432/"+db,
>> user, pass);
>> +               String url =
>> "jdbc:postgresql://papio.biology.duke.edu:5432/"+db;
>> +               Properties props = new Properties();
>> +               props.SetProperty("user", user);
>> +               props.SetProperty("password", pass);
>> +               /* Connect with ssl, but without a certificate. */
>> +               props.SetProperty("ssl", true);
>> +               props.SetProperty("sslfactory",
>> "org.postgresql.ssl.NonValidatingFactory");
>> +               myConnection = DriverManager.getConnection(url, props);
>>                 myConnectionStatus = true;
>>                 myDB = db;
>>         }
>>
>>
>>     
> _______________________________________________
> Babase mailing list
> Babase at www.eco.princeton.edu
> http://www.eco.princeton.edu/mailman/listinfo/babase
>
>   

-- 
Lacey Maryott
Alberts Lab
Department of Biology
Duke University
ph: 919-660-7306
fax: 919-660-7293
Lacey.Maryott at duke.edu 



More information about the Babase mailing list