Password Caching in SALT when using Basic Authentication? - Service Architecture Leveraging Tuxedo (SALT)

We are experiencing an issue in which a user changes their logon password using a thick client application, but is unable to use the changed password when connecting to the same password store through the SALT gateway.
We suspect that either the browser or the SALT Gateway itself is caching the password. How is this designed to work? Do we have to send something in the header to force it use the password being sent?
We suspect the user is submitting the logon request from an existing browser window which authenticated against SALT prior to them changing the password in the thick client.


LDAP user password decryption

Is there a way to get a user's password, stored in the embedded ldap back and decrypt it as plain text?
no. They are encrypted with a one-way hash.
mpgong wrote:
Is there a way to get a user's password, stored in the embedded ldap back and decrypt it as plain text?
is it possible to reset the password when the admin server is not up. we are trying to automate the process of resetting the password

Password Retrieval

Is there any way to retrieve the password for a particular user in the Weblogic portal?
Thanks in advance 
I assume you're asking if you can retrieve the password for a user and get the value in plain text?
I think the answer depends on the Authorization provider that is being used. I think the providers that come with WebLogic Server/WebLogic Portal do not support this. Those providers use one-way encryption, I think.
Other providers, like your corporate LDAP server might have functions to retrieve passwords in plain text. You'd have to use the APIs that come with your provider, however, as I don't think WLS or WLP provide APIs to retrieve passwords. I could be wrong... 
Whats your intent?
If this is for functionality like Forgot My Password, then retrieving the password and mailing it or something is a security hole (if theres someway to retrieve the users password , then someone else could do it as well).
You must either reset the users password (by autogeneration and mail this) or mail him a one time time restricted token that can be used to force a password reset.

Question about Passwords and Encryption

Hello All,
I am using a custom login procedure to authenticate users against our Active Directory Domain.
One of the security requirements our company insists upon (even though this app is used on the internal network only and has no interface to the internet etc) is that passwords are not sent in plain text.
Is there a way for me to encrypt the password at the page level (without invoking a server-side PL/SQL function), then unencrypt it when the LDAP authentication runs (sends crendentials to LDAP)? 
See LDAP Authentication and HTTP protocol and everything here: Re: dbms_ldap SSL bind with 3rd party ldap .

CC&B LoginModule for Weblogic Change of Password

Hi All,
I realise this is more of a Weblogic question, though I'm specifically after a working example of LoginModule that can be used within CC&B on Weblogic to:
a) Force users to change their password if their password is reset;
b) Force users to change their password if their password is expired (for example after 30 days);
b) Plus preferably also allow users to change their password on demand.
Can anyone point me at some examples of this (preferably also highlighting what needs to be set-up within Weblogic from an admin perspective to allow password expiry)?
Note - Kerberos Authentication is not currently an option, hence I need just basic JSP login modules.

ODP.NET Proxy Authentication

We are investigating using Proxy Authentication from web forms. The idea is that we could preserve the identity of individual users in Oracle without maintaining passwords.
con.ConnectionString ="Data Source=DB1;User Id=RealUser;Proxy User Id=TechnicalUser; Proxy Password=TechnicalUser"
The concern is how to protect the Proxy Password. Leaving it in clear text in code is not acceptable. I am looking for suggestions of secure methods of handling this password.
Today we do not store any passwords, each user is prompted to enter his own password which is then authenticated by Oracle.