Author: chaase3 Date: Wed Jan 6 19:42:26 2010 New Revision: 896639 URL: http://svn.apache.org/viewvc?rev=896639&view=rev Log: DERBY-4503: Documentation needs note on purpose of built-in authentication mechanism Modified 11 topics in 10.4 branch. Patch: DERBY-4503-10.4-2.diff Modified: db/derby/docs/branches/10.4/src/adminguide/radminappsclientxmp.dita db/derby/docs/branches/10.4/src/devguide/cdevcsecure21547.dita db/derby/docs/branches/10.4/src/devguide/cdevcsecure42374.dita db/derby/docs/branches/10.4/src/devguide/rdevcsecure13713.dita db/derby/docs/branches/10.4/src/devguide/rdevcsecure26537.dita db/derby/docs/branches/10.4/src/devguide/rdevcsecure557.dita db/derby/docs/branches/10.4/src/devguide/rdevcsecureclientexample.dita db/derby/docs/branches/10.4/src/devguide/tdevcsecure81850.dita db/derby/docs/branches/10.4/src/devguide/tdevcsecure82556.dita db/derby/docs/branches/10.4/src/tuning/rtunproper13766.dita db/derby/docs/branches/10.4/src/tuning/rtunproper27355.dita Modified: db/derby/docs/branches/10.4/src/adminguide/radminappsclientxmp.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/adminguide/radminappsclientxmp.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/adminguide/radminappsclientxmp.dita (original) +++ db/derby/docs/branches/10.4/src/adminguide/radminappsclientxmp.dita Wed Jan 6 19:42:26 2010 @@ -34,6 +34,11 @@ derby.connection.requireAuthentication=true derby.authentication.provider=BUILTIN derby.user.judy=no12see

+'s +BUILTIN authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.
Example 1

The following example connects to the default server name localhost on the default port, 1527, and to the database Modified: db/derby/docs/branches/10.4/src/devguide/cdevcsecure21547.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/cdevcsecure21547.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/cdevcsecure21547.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/cdevcsecure21547.dita Wed Jan 6 19:42:26 2010 @@ -28,6 +28,11 @@ +'s +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

To use the built-in repository, set derby.authentication.provider to BUILTIN. Using built-in users is an alternative to using an external directory service such as LDAP.

Modified: db/derby/docs/branches/10.4/src/devguide/cdevcsecure42374.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/cdevcsecure42374.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/cdevcsecure42374.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/cdevcsecure42374.dita Wed Jan 6 19:42:26 2010 @@ -45,6 +45,12 @@ an external directory service elsewhere in your enterprise, create your own directory service, or use 's simple mechanism for creating a built-in repository of users.

+'s +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on an +external directory service such as LDAP or a user-defined class for +authentication. It is also strongly recommended that production systems protect +network connections with SSL/TLS.

You can define a repository of users for a particular database or for an entire system, depending on whether you use system-wide or database-wide properties.

When user authentication Modified: db/derby/docs/branches/10.4/src/devguide/rdevcsecure13713.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/rdevcsecure13713.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/rdevcsecure13713.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/rdevcsecure13713.dita Wed Jan 6 19:42:26 2010 @@ -33,7 +33,13 @@ ended up in an e-mail, only the intended recipient would be able to access data in the database. The application developer has decided not to use any user authorization features, since each database will accept only a single -user. In that situation, the default full-access connection mode is acceptable.

+user. In that situation, the default full-access connection mode is acceptable.

+'s +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS. +

When creating the database, the application developer encrypts the database by using the following connection URL:

jdbc:derby:wombat;create=true;dataEncryption=true; Modified: db/derby/docs/branches/10.4/src/devguide/rdevcsecure26537.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/rdevcsecure26537.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/rdevcsecure26537.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/rdevcsecure26537.dita Wed Jan 6 19:42:26 2010 @@ -27,6 +27,11 @@
+'s +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

See for information on using SQL authorization, which allows you to use ANSI SQL Standard GRANT and REVOKE statements.

Modified: db/derby/docs/branches/10.4/src/devguide/rdevcsecure557.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/rdevcsecure557.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/rdevcsecure557.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/rdevcsecure557.dita Wed Jan 6 19:42:26 2010 @@ -57,7 +57,7 @@ derby.user.UserName Creates a user name and password for the built-in user -repository in. +repository in . java.naming.* @@ -67,5 +67,12 @@ +
+

's +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

+
Modified: db/derby/docs/branches/10.4/src/devguide/rdevcsecureclientexample.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/rdevcsecureclientexample.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/rdevcsecureclientexample.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/rdevcsecureclientexample.dita Wed Jan 6 19:42:26 2010 @@ -29,6 +29,11 @@
+'s +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

See for information on using SQL authorization, which allows you to use ANSI SQL Standard GRANT and REVOKE statements.

Modified: db/derby/docs/branches/10.4/src/devguide/tdevcsecure81850.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/tdevcsecure81850.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/tdevcsecure81850.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/tdevcsecure81850.dita Wed Jan 6 19:42:26 2010 @@ -38,7 +38,13 @@ authorization for the database. If you are using 's built-in users, configure each user as a database-level property so that user -names and passwords can be encrypted. +names and passwords can be encrypted. +

's +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

 + Modified: db/derby/docs/branches/10.4/src/devguide/tdevcsecure82556.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/devguide/tdevcsecure82556.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/devguide/tdevcsecure82556.dita (original) +++ db/derby/docs/branches/10.4/src/devguide/tdevcsecure82556.dita Wed Jan 6 19:42:26 2010 @@ -35,7 +35,13 @@ valid user IDs and passwords to access the system. If you are using 's built-in users, configure users for the system in the derby.properties file. -Provide the protection for this file. +Provide the protection for this file. +

's +built-in authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

 + Configure user authorization for sensitive databases in your system. Only designated users will be able to access sensitive databases. You typically configure user authorization with database-level properties. It is also possible Modified: db/derby/docs/branches/10.4/src/tuning/rtunproper13766.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/tuning/rtunproper13766.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/tuning/rtunproper13766.dita (original) +++ db/derby/docs/branches/10.4/src/tuning/rtunproper13766.dita Wed Jan 6 19:42:26 2010 @@ -29,10 +29,15 @@ for user authentication.

Legal values include:

  • LDAP

    An external LDAP directory service.

    • -
  • BUILTIN

    's -simple internal user authentication repository.

    • -
  • a complete Java class name

    A user-defined class that provides user +

  • A complete Java class name

    A user-defined class that provides user authentication.

    • +
  • BUILTIN

    's +simple internal user authentication repository.

    +'s +BUILTIN authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS.

When using an external authentication service provider (LDAP), you must also set:

  • derby.authentication.server
    • Modified: db/derby/docs/branches/10.4/src/tuning/rtunproper27355.dita URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.4/src/tuning/rtunproper27355.dita?rev=896639&r1=896638&r2=896639&view=diff ============================================================================== --- db/derby/docs/branches/10.4/src/tuning/rtunproper27355.dita (original) +++ db/derby/docs/branches/10.4/src/tuning/rtunproper27355.dita Wed Jan 6 19:42:26 2010 @@ -31,7 +31,13 @@
  • Caches user DNs locally when derby.authentication.provider is set to LDAP and derby.authentication.ldap.searchFilter is set to derby.user.
    • -

+

+'s +BUILTIN authentication mechanism is suitable only for development and testing +purposes. It is strongly recommended that production systems rely on LDAP or a +user-defined class for authentication. It is also strongly recommended that +production systems protect network connections with SSL/TLS. +
Users and Passwords

This property creates valid clear-text users and passwords within when the derby.authentication.provider property