[Babase] Re: Ranker security problems

Karl O. Pinc kop at meme.com
Thu Sep 20 18:21:21 EDT 2007


On 09/02/2007 06:05:19 PM, Karl O. Pinc wrote:
> 
> On 08/31/2007 08:20:05 PM, Jun Yang wrote:
>> How are we going to resolve this problem?  This doesn't seem to be
>> something I could fix in the ranker code---sounds more like a setup
>> issue on papio?
> 
> Papio is setup for the simplest possible SSL connection,
> no certificate at all is required.

The problem is that the jdbc library used by the ranker
assumes the use of a certificate.  For how to prevent this see:

Using SSL without Certificate Validation
http://jdbc.postgresql.org/documentation/81/ssl-client.html#nonvalidating

Appended is a patch to BabaseRanker/babase/ranker/Database.java.
This probably fixes the problem, but I didn't test it.
In fact I've not yet figured out how to compile it or
put it  in a jar file, so there could be something grossly wrong.

Something that's surely wrong is that the code is from Tyler's
old ranker version found at:
https://papio.biology.duke.edu/babasewiki/RankerProgram?action=AttachFile
in the currentbabase.zip file.

I think it'd be a good idea to put the new code on papio somewhere.

Note that the patch has tabs in it, and these will probably
be munged by inclusion in an email.

Karl <kop at meme.com>
Free Software:  "You don't pay back, you pay forward."
                  -- Robert A. Heinlein

----------<snip>----------------

--- Database.java	2007-05-17 00:30:42.000000000 -0500
+++ Database.java.new	2007-09-20 17:03:35.000000000 -0500
@@ -63,7 +63,14 @@
  	 * @throws SQLException if it cannot connect
  	 */
  	public void connect(String user, String pass, String db) throws  
SQLException {
-		myConnection =  
DriverManager.getConnection("jdbc:postgresql://172.16.3.1:5432/"+db,  
user, pass);
+		String url =  
"jdbc:postgresql://papio.biology.duke.edu:5432/"+db;
+		Properties props = new Properties();
+		props.SetProperty("user", user);
+		props.SetProperty("password", pass);
+		/* Connect with ssl, but without a certificate. */
+		props.SetProperty("ssl", true);
+		props.SetProperty("sslfactory",  
"org.postgresql.ssl.NonValidatingFactory");
+		myConnection = DriverManager.getConnection(url, props);
  		myConnectionStatus = true;
  		myDB = db;
  	}




More information about the Babase mailing list