[Babase] Re: Ranker security problems

Karl O. Pinc kop at meme.com
Mon Sep 24 10:11:48 EDT 2007


On 09/24/2007 07:34:46 AM, Lacey Maryott wrote:
> Hi all,
>   I tested ranker this morning, and this is the message I got.  I  
> removed the 'vpn' and checked the SSL box, and used my papio user  
> info.  No Dice :( Sorry!
> 
> "Fatal: role '*my username*' does not exist"


This at least looks easy to solve.  The problem probably is that
there is no props.SetProperty(), it should be props.setProperty().

:-(

(I'd have thought the compiler would catch
this kind of error, but then I'm not a java guy.)


> 
> Lacey
> 
> Jun Yang wrote:
>> Hi Karl:
>> 
>> Thanks!  I am currently traveling (returning on October 1), but
>> managed to find an Internet connection to make the changes you
>> suggested below. (BTW, the code on papio is at
>> /home/junyang/ranker/BabaseRanker-1.0/)
>> 
>> The version has now been deployed, but I cannot test it.  Lacey, can
>> you give the new version a try?
>> 
>> Thanks,
>> 
>> --- Jun Y.
>> 
>> On 9/20/07, Karl O. Pinc <kop at meme.com> wrote:
>> 
>>> On 09/02/2007 06:05:19 PM, Karl O. Pinc wrote:
>>> 
>>>> On 08/31/2007 08:20:05 PM, Jun Yang wrote:
>>>> 
>>>>> How are we going to resolve this problem?  This doesn't seem to be
>>>>> something I could fix in the ranker code---sounds more like a  
>>>>> setup
>>>>> issue on papio?
>>>>> 
>>>> Papio is setup for the simplest possible SSL connection,
>>>> no certificate at all is required.
>>>> 
>>> The problem is that the jdbc library used by the ranker
>>> assumes the use of a certificate.  For how to prevent this see:
>>> 
>>> Using SSL without Certificate Validation
>>> http://jdbc.postgresql.org/documentation/81/ssl-client.html#nonvalidating
>>> 
>>> Appended is a patch to BabaseRanker/babase/ranker/Database.java.
>>> This probably fixes the problem, but I didn't test it.
>>> In fact I've not yet figured out how to compile it or
>>> put it  in a jar file, so there could be something grossly wrong.
>>> 
>>> Something that's surely wrong is that the code is from Tyler's
>>> old ranker version found at:
>>> https://papio.biology.duke.edu/babasewiki/RankerProgram?action=AttachFile
>>> in the currentbabase.zip file.
>>> 
>>> I think it'd be a good idea to put the new code on papio somewhere.
>>> 
>>> Note that the patch has tabs in it, and these will probably
>>> be munged by inclusion in an email.
>>> 
>>> Karl <kop at meme.com>
>>> Free Software:  "You don't pay back, you pay forward."
>>>                   -- Robert A. Heinlein
>>> 
>>> ----------<snip>----------------
>>> 
>>> --- Database.java       2007-05-17 00:30:42.000000000 -0500
>>> +++ Database.java.new   2007-09-20 17:03:35.000000000 -0500
>>> @@ -63,7 +63,14 @@
>>>          * @throws SQLException if it cannot connect
>>>          */
>>>         public void connect(String user, String pass, String db)  
>>> throws
>>> SQLException {
>>> -               myConnection =
>>> DriverManager.getConnection("jdbc:postgresql://172.16.3.1:5432/"+db,
>>> user, pass);
>>> +               String url =
>>> "jdbc:postgresql://papio.biology.duke.edu:5432/"+db;
>>> +               Properties props = new Properties();
>>> +               props.SetProperty("user", user);
>>> +               props.SetProperty("password", pass);
>>> +               /* Connect with ssl, but without a certificate. */
>>> +               props.SetProperty("ssl", true);
>>> +               props.SetProperty("sslfactory",
>>> "org.postgresql.ssl.NonValidatingFactory");
>>> +               myConnection = DriverManager.getConnection(url,  
>>> props);
>>>                 myConnectionStatus = true;
>>>                 myDB = db;
>>>         }
>>> 
>>> 
>>> 
>> _______________________________________________
>> Babase mailing list
>> Babase at www.eco.princeton.edu
>> http://www.eco.princeton.edu/mailman/listinfo/babase
>> 
>> 
> 
>-- 
> Lacey Maryott
> Alberts Lab
> Department of Biology
> Duke University
> ph: 919-660-7306
> fax: 919-660-7293
> Lacey.Maryott at duke.edu
> _______________________________________________
> Babase mailing list
> Babase at www.eco.princeton.edu
> http://www.eco.princeton.edu/mailman/listinfo/babase
> 

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein



More information about the Babase mailing list