db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chaa...@apache.org
Subject svn commit: r1596037 [5/13] - in /db/derby/docs/trunk: ./ src/security/
Date Mon, 19 May 2014 20:09:36 GMT
Added: db/derby/docs/trunk/src/security/authentic_os.gif
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/authentic_os.gif?rev=1596037&view=auto
==============================================================================
Binary file - no diff available.

Propchange: db/derby/docs/trunk/src/security/authentic_os.gif
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: db/derby/docs/trunk/src/security/authentic_os.jpg
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/authentic_os.jpg?rev=1596037&view=auto
==============================================================================
Binary file - no diff available.

Propchange: db/derby/docs/trunk/src/security/authentic_os.jpg
------------------------------------------------------------------------------
    svn:mime-type = application/octet-stream

Added: db/derby/docs/trunk/src/security/csecapps49914.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/csecapps49914.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/csecapps49914.dita (added)
+++ db/derby/docs/trunk/src/security/csecapps49914.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="csecapps49914" xml:lang="en-us">
+<title>Configuring Network Server authentication without SSL/TLS</title>
+<shortdesc>If you do not encrypt network traffic with SSL/TLS, you can use
+properties to specify the encryption of user names and passwords on the Network
+Server side.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>org.apache.derby.jdbc.ClientDataSource.CLEAR_TEXT_PASSWORD_SECURITY</indexterm>
+<indexterm>org.apache.derby.jdbc.ClientDataSource.USER_ONLY_SECURITY</indexterm>
+<indexterm>org.apache.derby.jdbc.ClientDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY</indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<note type="important">Using SSL/TLS is strongly recommended for production
+applications. Use the properties only under unusual circumstances.</note>
+<p>When you run <ph conref="../conrefs.dita#prod/productshortname"></ph> in
+embedded mode or when you use the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> Network Server, you can
+enable or disable server-side user authentication. (Enabling user authentication
+is strongly recommended.) However, when you use the Network Server, the default
+security mechanism (<codeph>CLEAR_TEXT_PASSWORD_SECURITY</codeph>) requires that
+you supply both the user name and password.</p>
+<p>In addition to the default user name and password security mechanism,
+<codeph>org.apache.derby.jdbc.ClientDataSource.CLEAR_TEXT_PASSWORD_SECURITY</codeph>,
+<ph conref="../conrefs.dita#prod/productshortname"></ph> Network Server supports
+the following security properties:</p>
+<ul>
+<li>UserID: <codeph>org.apache.derby.jdbc.ClientDataSource.USER_ONLY_SECURITY</codeph>
+<p>When you use this mechanism, you must specify only the <codeph>user</codeph>
+property. All other mechanisms require you to specify both the user name and the
+password.</p></li>
+<li>Encrypted UserID and encrypted password:
+<codeph>org.apache.derby.jdbc.ClientDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY</codeph>
+<p>When you use this mechanism, both password and user id are encrypted.</p></li>
+</ul>
+<p>The user name that is specified upon connection is the default schema for the
+connection, if a schema with that name exists. See the
+<ph conref="../conrefs.dita#pub/citdevelop"></ph> for more information on schema
+and user names.</p>
+<p>If you specify any other security mechanism, you will receive an
+exception.</p>
+<p>To change the default, you can specify another security mechanism either as a
+property or on the URL (using the <codeph>securityMechanism=<i>value</i></codeph>
+attribute) when you make the connection. For details, see
+<xref href="csecappsclientsecurity.dita"/> and
+"securityMechanism=value attribute" in the 
+<ph conref="../conrefs.dita#pub/citref"></ph>.</p>
+<p>Whether the security mechanism you specify for the client actually takes
+effect depends upon the setting of the 
+<codeph>derby.drda.securityMechanism</codeph> property for the Network Server. 
+If the <codeph>derby.drda.securityMechanism</codeph> property is set, the 
+Network Server accepts only connections that use the security mechanism 
+specified by the property setting. If the 
+<codeph>derby.drda.securityMechanism</codeph> property is not set, clients can
+use any valid security mechanism. For details, see 
+"derby.drda.securityMechanism property" in the 
+<ph conref="../conrefs.dita#pub/citadmin"></ph>.</p>
+<section><title>Security mechanism options when user authentication is enabled on the 
+Network Server</title>
+<p>When user authentication is enabled in 
+<ph conref="../conrefs.dita#prod/productshortname"></ph>, you can use either of
+the following security mechanisms.</p>
+<ul>
+<li>Clear text user name and password security, the default</li>
+<li>Encrypted user name and password security</li>
+</ul>
+</section>
+<section><title>Security mechanism options when user authentication is disabled
+on the Network Server</title>
+<p>When user authentication is turned off in
+<ph conref="../conrefs.dita#prod/productshortname"></ph>, you can use any of the
+security mechanism options.</p>
+<p>You must provide a user and password for all security mechanisms except
+<codeph>USER_ONLY_SECURITY</codeph>. However, because user authentication is
+disabled in the <ph conref="../conrefs.dita#prod/productshortname"></ph> server,
+the user name and password that you supply do not have to be among those
+recognized as valid by
+<ph conref="../conrefs.dita#prod/productshortname"></ph>.</p>
+</section>
+<section><title>Enabling the encrypted user ID and password security
+mechanism</title>
+<p>To use the encrypted user ID and password security mechanism, you need a Java
+environment with a JCE (Java Cryptography Extension) that supports the
+Diffie-Hellman algorithm with a public prime of 256 bits.</p>
+<p>The Java Platform, Standard Edition (Java SE) requires a public prime of
+512 bits or more.</p>
+<p>To use the encrypted user id and password security mechanism during
+JDBC connection using the network client, specify the
+<codeph>securityMechanism=<i>value</i></codeph> connection property.
+<note>If an encrypted database is booted in the Network Server, users can
+connect to the database without giving the <codeph>bootPassword</codeph>. The
+first connection to the database must provide the <codeph>bootPassword</codeph>,
+but all subsequent connections do not need to supply it. To remove access
+from the encrypted database, use the <codeph>shutdown=true</codeph> option
+to shut down the database. See <xref href="cseccsecure24366.dita"/> for
+more information.</note></p>
+</section>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/csecapps49914.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/csecappsclientsecurity.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/csecappsclientsecurity.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/csecappsclientsecurity.dita (added)
+++ db/derby/docs/trunk/src/security/csecappsclientsecurity.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<!--##### DO NOT CHANGE ANYTHING ABOVE THIS LINE #####-->
+<concept id="csecappsclientsecurity" xml:lang="en-us">
+<title>Configuring Network Client authentication without SSL/TLS</title>
+<shortdesc>If you do not encrypt network traffic with SSL/TLS, you can use
+properties to specify the encryption of user names and passwords on the client
+side.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>Network Client security</indexterm></keywords>
+</metadata></prolog>
+<conbody>
+<note type="important">Using SSL/TLS is strongly recommended for production
+applications. Use the properties only under unusual circumstances.</note>
+<p>The <codeph>securityMechanism=value</codeph> property specifies a security
+mechanism for the <ph conref="../conrefs.dita#prod/productshortname"></ph>
+Network Client. See the <ph conref="../conrefs.dita#pub/citref"></ph> for details
+on this property.</p>
+<p>You can set the <codeph>securityMechanism</codeph> property in one of the
+following ways:</p><ul>
+<li>When you are using the <codeph>java.sql.DriverManager</codeph> class, set
+<codeph>securityMechanism=<i>value</i></codeph> in a <codeph>java.util.Properties</codeph>
+object before you invoke the form of the
+<codeph>DriverManager.getConnection</codeph> method that includes the
+<codeph>java.util.Properties</codeph> parameter.</li>
+<li>When you are using the <codeph>ClientDataSource</codeph> interface to create
+and deploy your own DataSource objects, invoke the
+<codeph>ClientDataSource.setSecurityMechanism</codeph> method after you create a
+ClientDataSource object.</li>
+</ul>
+<p>The following table lists the security mechanisms that the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> Network
+Client supports, and the corresponding property value to specify to obtain this
+security mechanism. The default security mechanism is the user id only if no
+password is set. If the password is set, the default security mechanism is both
+the user id and password. The default user is APP if no other user is
+specified.</p>
+<table>
+<title>Security mechanisms supported by the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> Network Client</title>
+<desc>This table lists, describes, and provides additional information about <ph conref="../conrefs.dita#prod/productshortname"></ph> network client security mechanisms.</desc>
+<tgroup cols="3" colsep="1" rowsep="1">
+<colspec colname="col1" colnum="1" colwidth="15*"/>
+<colspec colname="col2" colnum="2" colwidth="57*"/>
+<colspec colname="col3" colnum="3" colwidth="28*"/>
+<thead>
+<row valign="bottom">
+<entry colname="col1">Security Mechanism</entry>
+<entry colname="col2">securityMechanism Property Value</entry>
+<entry colname="col3">Comments</entry>
+</row>
+</thead>
+<tbody>
+<row>
+<entry colname="col1">User id and password</entry>
+<entry colname="col2"><codeph>ClientDataSource.CLEAR_TEXT_PASSWORD_SECURITY</codeph>
+(0x03)</entry>
+<entry colname="col3">Default if password is set</entry>
+</row>
+<row>
+<entry colname="col1">User id only</entry>
+<entry colname="col2"><codeph>ClientDataSource.USER_ONLY_SECURITY</codeph>
+(0x04)</entry>
+<entry colname="col3">Default if password is not set</entry>
+</row>
+<row>
+<entry colname="col1">Encrypted user id and encrypted password</entry>
+<entry colname="col2"><codeph>ClientDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY</codeph>
+(0x09)</entry>
+<entry colname="col3">Encryption requires a JCE implementation that supports
+the Diffie-Hellman algorithm with a public prime of 256 bits.</entry>
+</row>
+</tbody>
+</tgroup>
+</table>
+<p><ph conref="../conrefs.dita#prod/productshortname"></ph> provides two
+ClientDataSource implementations. Use the
+<codeph>org.apache.derby.jdbc.ClientDataSource</codeph> class on all supported
+Java SE versions except Java SE 8 Compact Profile 2. On Java SE 8 Compact
+Profile 2, use the
+<codeph>org.apache.derby.jdbc.BasicClientDataSource40</codeph> class.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/csecappsclientsecurity.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/csecauthorcoarse.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/csecauthorcoarse.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/csecauthorcoarse.dita (added)
+++ db/derby/docs/trunk/src/security/csecauthorcoarse.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="csecauthorcoarse" xml:lang="en-us">
+<title>Configuring coarse-grained user authorization</title>
+<shortdesc>You can manipulate coarse-grained access by using the builtin
+procedure <codeph>SYSCS_SET_DATABASE_PROPERTY</codeph> to set the database
+properties <codeph>derby.database.fullAccessUsers</codeph> and
+<codeph>derby.database.readOnlyAccessUsers</codeph>.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>databases<indexterm>coarse-grained authorization, configuring</indexterm></indexterm>
+<indexterm>authorization<indexterm>coarse-grained</indexterm></indexterm>
+<indexterm>derby.database.fullAccessUsers property</indexterm>
+<indexterm>properties<indexterm>derby.database.fullAccessUsers</indexterm></indexterm>
+<indexterm>derby.database.readOnlyAccessUsers property</indexterm>
+<indexterm>properties<indexterm>derby.database.readOnlyAccessUsers</indexterm></indexterm>
+</keywords></metadata></prolog>
+<conbody>
+<p>The following example shows how to do this. The example assumes that you are
+reusing the credentials-protected database you created in
+<xref href="cseccsecurenativeauth.dita"/>. The example commands first set the
+read/write and read-only users and then verify that the settings work
+correctly.</p>
+<codeblock><b>java org.apache.derby.tools.ij</b>
+ij> ij version 10.11
+ij> <b>connect 'jdbc:derby:testdb;user=tquist;password=tquist';</b>
+ij> --
+-- Prevent our settings from being overridden on the
+-- command line or in derby.properties.
+--
+<b>call SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY
+( 'derby.database.propertiesOnly', 'true' );</b>
+0 rows inserted/updated/deleted
+ij> --
+-- Now we can configure read/write and read-only users.
+--
+<b>call SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY
+( 'derby.database.fullAccessUsers', 'tquist,mchrysta' );</b>
+0 rows inserted/updated/deleted
+ij> <b>call SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY
+( 'derby.database.readOnlyAccessUsers', 'thardy,jhallett' );</b>
+0 rows inserted/updated/deleted
+ij> --
+-- Next verify that a read/write user has those powers:
+--
+<b>connect 'jdbc:derby:testdb;user=mchrysta;password=mchrysta';</b>
+ij(CONNECTION1)> <b>create table mchrysta.t1( a varchar( 20 ) );</b>
+0 rows inserted/updated/deleted
+ij(CONNECTION1)> <b>insert into mchrysta.t1( a ) values ( 'mchrysta' );</b>
+1 row inserted/updated/deleted
+ij(CONNECTION1)> <b>select * from mchrysta.t1;</b>
+A                   
+--------------------
+mchrysta            
+
+1 row selected
+ij(CONNECTION1)> --
+-- Finally, verify that a read-only user can read data but not write it:
+--
+<b>connect 'jdbc:derby:testdb;user=thardy;password=thardy';</b>
+ij(CONNECTION2)> -- the user can select from public data
+<b>select count(*) from sys.systables;</b>
+1          
+-----------
+24         
+
+1 row selected
+ij(CONNECTION2)> -- but this user can't even create a table
+<b>create table thardy.t1( a varchar( 20 ) );</b>
+ERROR 25503: DDL is not permitted for a read-only connection, user or database.
+</codeblock>
+<section><title>Coarse-grained authorization details</title>
+<p>Use a CALL statement to call the
+<codeph>SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY</codeph> system procedure.</p>
+<p>To specify multiple user IDs, use a comma-separated list, with no spaces
+between the comma and the next user ID.</p>
+<p>To specify read-write access for a user ID that contains special characters,
+use delimited identifiers for the user ID. For example:</p>
+<codeblock><b>CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
+    'derby.database.fullAccessUsers', '"Elena!"')</b></codeblock>
+<p>For extra security, you should configure the
+<codeph>derby.database.propertiesOnly</codeph> property so that users cannot
+override database behavior using system-wide properties specified on the command
+line or in the <codeph>derby.properties</codeph> file.</p>
+</section>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/csecauthorcoarse.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/csecauthorfine.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/csecauthorfine.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/csecauthorfine.dita (added)
+++ db/derby/docs/trunk/src/security/csecauthorfine.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,118 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="csecauthorfine" xml:lang="en-us">
+<title>Configuring fine-grained user authorization</title>
+<shortdesc>You can use fine-grained user authorization, also called SQL standard
+authorization, to restrict access to specific pieces of data.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>databases<indexterm>fine-grained authorization, configuring</indexterm></indexterm>
+<indexterm>authorization<indexterm>fine-grained</indexterm></indexterm>
+<indexterm>derby.database.sqlAuthorization property</indexterm>
+<indexterm>properties<indexterm>derby.database.sqlAuthorization</indexterm></indexterm>
+</keywords></metadata></prolog>
+<conbody>
+<p>You can use fine-grained authorization by itself or in conjunction with
+coarse-grained authorization.</p>
+<p>Fine-grained authorization, like coarse-grained authorization, requires that
+we run <ph conref="../conrefs.dita#prod/productshortname"></ph> with
+authentication turned on. If you are using LDAP authentication, then you will
+need to enable fine-grained authorization by setting the
+<codeph>derby.database.sqlAuthorization</codeph> property to
+<codeph>true</codeph>.</p>
+<p>The following example uses the same database you created in
+<xref href="cseccsecurenativeauth.dita"/>, the database that relies on NATIVE
+authentication. If you use NATIVE authentication, there is no need to set the
+<codeph>derby.database.sqlAuthorization</codeph> property. NATIVE authentication
+automatically enables fine-grained authorization.</p>
+<p>The example creates two tables. One table can be viewed by anyone. The other
+table can be viewed only by specific users.</p>
+<codeblock><b>java org.apache.derby.tools.ij</b>
+ij version 10.11
+ij> <b>connect 'jdbc:derby:testdb;user=mchrysta;password=mchrysta';</b>
+ij> -- create and populate some tables
+<b>create table publicTable( a int );</b>
+0 rows inserted/updated/deleted
+ij> <b>create table restrictedTable( a int );</b>
+0 rows inserted/updated/deleted
+ij> <b>insert into publicTable( a ) values ( 1 );</b>
+1 row inserted/updated/deleted
+ij> <b>insert into restrictedTable( a ) values( 100 );</b>
+1 row inserted/updated/deleted
+ij> -- set up fine-grained checks
+<b>grant select on publicTable to public;</b>
+0 rows inserted/updated/deleted
+ij> <b>grant select on restrictedTable to thardy;</b>
+0 rows inserted/updated/deleted
+ij> --
+--Now verify that thardy can view both tables...
+--
+<b>connect 'jdbc:derby:testdb;user=thardy;password=thardy';</b>
+ij(CONNECTION1)> <b>select * from mchrysta.publicTable;</b>
+A          
+-----------
+1          
+
+1 row selected
+ij(CONNECTION1)> <b>select * from mchrysta.restrictedTable;</b>
+A          
+-----------
+100        
+
+1 row selected
+ij(CONNECTION1)> --
+-- ...but other users can only view the public table:
+--
+<b>connect 'jdbc:derby:testdb;user=jhallett;password=jhallett';</b>
+ij(CONNECTION2)> <b>select * from mchrysta.publicTable;</b>
+A          
+-----------
+1          
+
+1 row selected
+ij(CONNECTION2)> <b>select * from mchrysta.restrictedTable;</b>
+ERROR 42502: User 'JHALLETT' does not have SELECT permission on column 'A' of
+table 'MCHRYSTA'.'RESTRICTEDTABLE'.</codeblock>
+<p>You can also use the GRANT command to restrict write access to your tables,
+to control who executes your functions and procedures, to limit who can add
+triggers to your tables, and to limit who can create foreign keys referencing
+your tables. You can also control users' ability to create, set, and drop
+roles.</p>
+<p>Coarse-grained and fine-grained authorization are not mutually exclusive. You
+may want to configure both. Using coarse-grained authorization, you can prevent
+truly read-only users from creating and populating any table; this defends your
+database against an unbounded growth vulnerability (see 
+<xref href="csecintrovuln.dita"></xref>. Using additional
+fine-grained authorization checks prevents your read-write users from accessing
+restricted data.</p>
+<p>After the <codeph>derby.database.sqlAuthorization</codeph> property has been
+set to <codeph>true</codeph>, you cannot set the property back to
+<codeph>false</codeph>.</p>
+<p>You can set the <codeph>derby.database.sqlAuthorization</codeph> property
+as a system property or as a database property. If you set this property as
+a system property before you create the databases, all new databases will
+automatically have SQL authorization enabled:</p>
+<codeblock>derby.database.sqlAuthorization=true</codeblock>
+<p>If the databases already exist, you can set this property only as a database
+property:</p>
+<codeblock>CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
+    'derby.database.sqlAuthorization',
+    'true')</codeblock>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/csecauthorfine.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/csecauthorization.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/csecauthorization.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/csecauthorization.dita (added)
+++ db/derby/docs/trunk/src/security/csecauthorization.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="csecauthorization" xml:lang="en-us">
+<title>Configuring user authorization</title>
+<shortdesc>While authentication determines whether someone is a legal database
+user, <i>authorization</i> determines what operations can be performed by a
+user's identity.</shortdesc>
+<prolog><metadata><keywords>
+<indexterm>databases<indexterm>authorization</indexterm></indexterm>
+<indexterm>authorization<indexterm>coarse-grained</indexterm></indexterm>
+<indexterm>authorization<indexterm>fine-grained</indexterm></indexterm>
+</keywords></metadata></prolog>
+<conbody>
+<p> Once you have set up authentication, you can configure
+authorization.</p>
+<p><ph conref="../conrefs.dita#prod/productshortname"></ph> offers two kinds of
+authorization:</p>
+<ul>
+<li><b>Coarse-grained authorization</b>, in which the Database Owner divides an
+application's users into two groups. One group has full authority to read and
+write all data. The other group merely has permission to read data.</li>
+<li><b>Fine-grained authorization</b>, in which the Database Owner and
+individual users issue SQL GRANT/REVOKE statements to declare who can read or
+write specific pieces of data and who can exercise specific application
+functions.</li>
+</ul>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/csecauthorization.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure12392.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure12392.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure12392.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure12392.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure12392" xml:lang="en-us">
+<title>Basic security configuration tasks</title>
+<shortdesc>In most cases, you enable
+<ph conref="../conrefs.dita#prod/productshortname"></ph> security features
+through the use of properties. It is important to understand the best way to set
+properties for your environment.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>security<indexterm>configuring</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<section><p><ph conref="../conrefs.dita#prod/productshortname"></ph> does
+not come with a built-in superuser. For that reason, be careful to follow these
+steps when you configure
+<ph conref="../conrefs.dita#prod/productshortname"></ph> for user authentication
+and user authorization.</p>
+<ol>
+<li>When first working with security, work with system-level properties only
+so that you can easily override them if you make a mistake. See
+"Scope of properties" and "Setting system-wide properties" in the
+<ph conref="../conrefs.dita#pub/citdevelop"></ph> for more information.</li>
+<li>Be sure to create at least one valid user, and grant that user full
+(read-write) access. For example, you might always want to create a user called
+<codeph>sa</codeph> with the password
+<codeph><ph conref="../conrefs.dita#prod/productlowercase"></ph></codeph> while
+you are developing. </li>
+<li>Test the authentication system while it is still configured at the system
+level. Be absolutely certain that you have configured the system correctly
+before setting the properties as database-level properties.</li>
+<li>Before disabling system-level properties (by setting
+<codeph>derby.database.propertiesOnly</codeph> to true), test that at least one
+database-level read-write user (such as <codeph>sa</codeph>) is valid. If you do
+not have at least one valid user that the system can authenticate, you will not
+be able to access your database.</li>
+</ol></section>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure12392.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure21561.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure21561.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure21561.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure21561.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure21561" xml:lang="en-us">
+<title>Specifying authentication with a user-defined class</title>
+<shortdesc>You can set the <codeph>derby.authentication.provider</codeph>
+property to the full name of a class that implements the public interface
+<codeph>org.apache.derby.authentication.UserAuthenticator</codeph>.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>user authentication<indexterm>providing your own</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p>By writing your own class that fulfills some minimal requirements, you can
+hook <ph conref="../conrefs.dita#prod/productshortname"></ph> up to an external
+authentication service other than LDAP. To do so, specify an external
+authentication service by setting the property
+<codeph>derby.authentication.provider</codeph> to a class name that you want
+<ph conref="../conrefs.dita#prod/productshortname"></ph> to load at startup.</p>
+<p>The class that provides the external authentication service must implement
+the public interface
+<codeph>org.apache.derby.authentication.UserAuthenticator</codeph> and throw
+exceptions of the type <codeph>java.sql.SQLException</codeph> where
+appropriate.</p>
+<p>Using a user-defined class makes
+<ph conref="../conrefs.dita#prod/productshortname"></ph> adaptable to various
+naming and directory services.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure21561.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure24366.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure24366.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure24366.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure24366.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure24366" xml:lang="en-us">
+<title>Configuring database encryption</title>
+<shortdesc><ph conref="../conrefs.dita#prod/productshortname"></ph> provides
+a way for you to encrypt your data on disk.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>database encryption</indexterm>
+<indexterm>databases<indexterm>encrypting</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p>By default, <ph conref="../conrefs.dita#prod/productshortname"></ph> stores
+its data unencrypted in ordinary operating system files. An attacker who can
+view those files can simply type them out, exposing all sorts of data stored in
+string columns. Knowing
+<ph conref="../conrefs.dita#prod/productshortname"></ph>'s file formats, a
+clever attacker could even view numeric data stored in those files. Even worse,
+a clever attacker could change the data itself.</p>
+<p>Fortunately, <ph conref="../conrefs.dita#prod/productshortname"></ph> can
+encrypt databases. On a shared machine, that helps protect data from other
+users, including disgruntled or curious superusers. Encryption helps protect
+private financial data from thieves who physically steal your laptop.</p>
+<p>Before encrypting a database, you need to make two choices:</p>
+<ul>
+<li>A <b>boot password</b>: This is the password that unlocks your encrypted
+data when you want to use it.</li>
+<li>An <b>encryption algorithm</b>: This is a transformation name as described
+in the API documentation for the <codeph>javax.crypto.Cipher</codeph> class.
+<ph conref="../conrefs.dita#prod/productshortname"></ph> encryption relies on
+the JCE libraries supplied with the virtual machine. For more information on
+those libraries, see the <cite>Java Cryptography Architecture (JCA) Reference
+Guide</cite> (<xref format="html"
+href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html"
+scope="external"/>).</li>
+</ul>
+<p>Here is a <codeph>ij</codeph> command that creates an encrypted
+database. Notice the additional attributes in bold on the database creation URL:
+<codeph>dataEncryption</codeph>, <codeph>encryptionAlgorithm</codeph>, and
+<codeph>bootPassword</codeph>. The URL string must be all on one line.</p>
+<codeblock>connect 'jdbc:derby:myEncryptedDatabaseName;create=true;
+<b>dataEncryption=true;encryptionAlgorithm=Blowfish/CBC/NoPadding;
+bootPassword=mySuperSecretBootPassword</b>';
+</codeblock>
+<p>Once you have created an encrypted database, you can work in it. After you
+shut down the encrypted database, you can reconnect to it by simply supplying
+your boot password in the connection URL, as shown in the following 
+<codeph>ij</codeph> command:</p>
+<codeblock>connect 'jdbc:derby:myEncryptedDatabaseName;
+<b>bootPassword=mySuperSecretBootPassword</b>';</codeblock>
+<p>Keep in mind that by booting a database with its boot password, you unlock
+the database for the lifetime of the virtual machine. This means that other
+threads can connect to the database without supplying the boot password. This
+situation lasts until the database is explicitly shut down or the virtual
+machine exits. For a single-user, shrink-wrapped application, this is generally
+not a problem. However, for a multi-user application, you need to take steps to
+keep the data secure during the various stages of working with the database:</p>
+<ol>
+<li><b>Unlocking the database</b>: The boot password is used to initially
+unlock encrypted data. Once the Database Owner has unlocked the database, other
+users can connect to it without supplying the boot password.</li>
+<li><b>Working with the database</b>: For that reason, you should configure
+<ph conref="../conrefs.dita#prod/productshortname"></ph> authorization
+(see below) to restrict the users who may access the unlocked data.</li>
+<li><b>Relocking the database</b>: To relock your data, simply shut down the
+database.</li>
+</ol>
+<p>The following sections provide detailed information about database
+encryption.</p>
+<note>Jar files stored in a database are not encrypted.</note>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure24366.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure24458.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure24458.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure24458.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure24458.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,69 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure24458" xml:lang="en-us">
+<title>Authorization identifiers, user authentication, and user
+authorization</title>
+<shortdesc>When working with both user authentication and user authorization,
+you need to understand how user names are treated by each system.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>users<indexterm>and schemas</indexterm></indexterm>
+<indexterm>schemas<indexterm>and users</indexterm></indexterm></keywords>
+</metadata></prolog>
+<conbody>
+<p>If you use an external authentication system such as LDAP, the conversion of
+the user's name to an authorization identifier happens <i>after</i>
+authentication has occurred but <i>before</i> user authorization has occurred.
+Imagine, for example, a user named Fred.</p>
+<ul>
+<li>Within the user authentication system, Fred is known as
+<codeph>FRed</codeph>. Your external user authorization service is
+case-sensitive, so Fred must always type his name that way.
+<codeblock>Connection conn = DriverManager.getConnection(
+    "jdbc:derby:myDB", "FRed", "flintstone");</codeblock></li>
+<li>Within the <ph conref="../conrefs.dita#prod/productshortname"></ph> user
+authorization system, Fred becomes a case-insensitive authorization identifier.
+Fred is known as <codeph>FRED</codeph>.</li>
+</ul>
+<p>Let's take a second example, where Fred has a slightly different name within
+the user authentication system.</p>
+<ul>
+<li>Within the user authentication system, Fred is known as
+<codeph>Fred!</codeph>. You must now put double quotes around the name, because
+it is not a valid <codeph><i>SQL92Identifier</i></codeph>.
+(<ph conref="../conrefs.dita#prod/productshortname"></ph> knows to remove the
+double quotes when passing the name to the external authentication system.)
+<codeblock>Connection conn = DriverManager.getConnection(
+    "jdbc:derby:myDB", "\"Fred!\"", "flintstone");</codeblock></li>
+<li>Within the <ph conref="../conrefs.dita#prod/productshortname"></ph> user
+authorization system, <codeph>Fred</codeph> becomes a case-sensitive
+authorization identifier. Fred is known as <codeph>Fred!</codeph>.</li>
+</ul>
+<p>As shown in the first example, your external authentication system may
+be case-sensitive, whereas the authorization identifier within
+<ph conref="../conrefs.dita#prod/productshortname"></ph> may not be. If your
+authentication system allows two distinct users whose names differ by case,
+delimit all user names within the connection request to make all user names
+case-sensitive within the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> system. In addition,
+you must also delimit user names that do not conform to
+<codeph><i>SQL92Identifier</i></codeph> rules with double quotes.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure24458.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure31493.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure31493.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure31493.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure31493.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure31493" xml:lang="en-us">
+<title>Specifying an alternate encryption provider</title>
+<shortdesc>You can specify an alternate provider when you create the database
+with the <codeph>encryptionProvider=<i>providerName</i></codeph>
+attribute.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>Encryption providers<indexterm>configuring</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p>You must specify the full package and class name of the provider, and you
+must also add the libraries to the application's classpath.</p>
+<codeblock><b>-- using the the provider library bcprov-jdk15on-147.jar
+-- available from www.bouncycastle.org</b>
+jdbc:derby:encryptedDB3;create=true;dataEncryption=true;
+bootPassword=clo760uds2caPe;
+encryptionProvider=org.bouncycastle.jce.provider.BouncyCastleProvider;
+encryptionAlgorithm=DES/CBC/NoPadding
+
+<b>-- using a provider available from
+-- http://jce.iaik.tugraz.at/sic/Download</b>
+jdbc:derby:encryptedDB3;create=true;dataEncryption=true;
+bootPassword=clo760uds2caPe;
+encryptionProvider=iaik.security.provider.IAIK;
+encryptionAlgorithm=DES/CBC/NoPadding</codeblock>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure31493.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure37241.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure37241.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure37241.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure37241.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure37241" xml:lang="en-us">
+<title>Users and authorization identifiers</title>
+<shortdesc>User names within the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> system are known as
+<i>authorization identifiers</i>. The authorization identifier is a string
+that represents the name of the user, if one was provided in the connection
+request.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>authorization identifiers</indexterm></keywords>
+</metadata></prolog>
+<conbody>
+<p>For example, the built-in function CURRENT_USER returns the authorization
+identifier for the current user.</p>
+<p>Once the authorization identifier is passed to the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> system, it becomes an
+<codeph><i>SQL92Identifier</i></codeph>. An
+<codeph><i>SQL92Identifier</i></codeph> -- the kind of identifier that
+represents database objects such as tables and columns -- is case-insensitive
+(it is converted to all caps) unless it is delimited with double quotes,
+is limited to 128 characters, and has other limitations.</p>
+<p>User names must be valid authorization identifiers even if user
+authentication is turned off, and even if all users are allowed access to all
+databases.</p>
+<p>For more information about <codeph><i>SQL92Identifiers</i></codeph>, see the
+<ph conref="../conrefs.dita#pub/citref"></ph>.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure37241.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure41285.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure41285.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure41285.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure41285.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure41285" xml:lang="en-us">
+<title>Configuring LDAP authentication</title>
+<shortdesc>You can allow
+<ph conref="../conrefs.dita#prod/productshortname"></ph> to authenticate users
+against an existing LDAP directory service within your enterprise. LDAP
+(lightweight directory access protocol) provides an open directory access
+protocol running over TCP/IP. An LDAP directory service can quickly authenticate
+a user's name and password.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>LDAP directory services<indexterm>used to provide user
+authentication</indexterm></indexterm></keywords>
+</metadata></prolog>
+<conbody>
+<p>The runtime library provided with the Java Development Kit (JDK) includes
+libraries that allow you to access an LDAP directory service. See the API
+documentation for the <codeph>javax.naming.ldap</codeph> package at
+<xref format="html" href="http://docs.oracle.com/javase/8/docs/api/" 
+scope="external"/>, the LDAP section of the JNDI tutorial at
+<xref format="html" href="http://docs.oracle.com/javase/tutorial/jndi/ldap/" 
+scope="external"/>, and the LDAP section of the JNDI specification at
+<xref format="html" href="http://docs.oracle.com/javase/1.5.0/docs/guide/jndi/spec/jndi/jndi.5.html#pgfId=999241"
+scope="external"/>.
+</p>
+<p>To use an LDAP directory service, set
+<codeph>derby.authentication.provider</codeph> to <codeph>LDAP</codeph> and
+specify appropriate permissions in your security policy file (see
+<xref href="csecjavasecurity.dita"/>.</p>
+<p>This section describes how to authenticate users with the OpenDS LDAP
+server.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure41285.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure42374.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure42374.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure42374.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure42374.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="utf-8"?>
+ 
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure42374" xml:lang="en-us">
+<title>Configuring user authentication</title>
+<shortdesc>By default, <ph conref="../conrefs.dita#prod/productshortname"></ph> runs
+without any credentials checking. This situation may be fine for many
+shrink-wrapped, embedded applications. However, it means that anyone can connect
+to an unsecured database and steal or corrupt the data there. Fortunately, it's
+easy to frustrate these attacks by requiring authentication.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>user authentication<indexterm>overview</indexterm></indexterm>
+<indexterm>authentication<indexterm>users, overview</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p><ph conref="../conrefs.dita#prod/productshortname"></ph> provides support for
+user authentication and user authorization. <i>User authentication</i>
+determines whether a user is a valid user. It establishes the user's identity.
+<i>User authorization</i> determines what operations a user's established
+identity can perform. You are strongly urged to implement both authentication
+and authorization on any multi-user database used in production.</p>
+<p>When user authentication is enabled, 
+the user that requests a connection must provide a valid name and password,
+which <ph conref="../conrefs.dita#prod/productshortname"></ph> verifies against
+the repository of users defined for the system. After
+<ph conref="../conrefs.dita#prod/productshortname"></ph> authenticates the user
+as valid, <xref href="csecauthorization.dita#csecauthorization">user
+authorization</xref> determines what operations the user can perform on the
+database to which the user is requesting a connection.</p>
+<p><ph conref="../conrefs.dita#prod/productshortname"></ph> supports three
+kinds of authentication schemes:</p>
+<dl>
+<dlentry>
+<dt>LDAP</dt>
+<dd>In this scheme, the customer points
+<ph conref="../conrefs.dita#prod/productshortname"></ph> at an external LDAP
+directory service. The customer manages users with the external LDAP service,
+and <ph conref="../conrefs.dita#prod/productshortname"></ph> retrieves
+credentials from LDAP. See
+<xref href="cseccsecure41285.dita"/> for more
+information.</dd>
+</dlentry>
+<dlentry>
+<dt>NATIVE</dt>
+<dd>In this scheme, user names and passwords are stored in a
+<ph conref="../conrefs.dita#prod/productshortname"></ph> database. See
+<xref href="cseccsecurenativeauth.dita"/> for details.</dd>
+</dlentry>
+<dlentry>
+<dt>User-defined</dt>
+<dd>In this scheme, the customer provides all of the logic needed to
+authenticate users. See <xref href="cseccsecure21561.dita"/> for more
+information.</dd>
+</dlentry>
+</dl>
+<p>You can define a repository of users for a particular database or for an
+entire system, depending on whether you use system-wide or database-wide
+properties.</p>
+<p>A directory service stores names and attributes of those names. A typical use
+for a directory service is to store user names and passwords for a computer
+system. <ph conref="../conrefs.dita#prod/productshortname"></ph> uses the Java
+Naming and Directory Interface (JNDI) to interact with external directory
+services that can provide authentication of users' names and passwords.</p>
+<p>When <ph conref="../conrefs.dita#prod/productshortname"></ph> user
+authentication is enabled and
+<ph conref="../conrefs.dita#prod/productshortname"></ph> uses
+an external directory service, the architecture looks something like that
+shown in the following figure. The application can be a single-user application
+with an embedded <ph conref="../conrefs.dita#prod/productshortname"></ph> engine
+or a multi-user application server.</p>
+<fig expanse="column"><title><ph conref="../conrefs.dita#prod/productshortname"></ph>
+user authentication using an external service</title>
+<image href="authentic_os.gif" placement="break"><alt>This figure shows how an application passes Derby user authentication through an external directory service before access to a Derby database is allowed.</alt>
+</image>
+</fig>
+<p><ph conref="../conrefs.dita#prod/productshortname"></ph> always runs embedded
+in another Java application, whether that application is a single-user application
+or a multiple-user application server or connectivity framework. </p>
+<p>A database can be accessed by only one JVM at a time, so it is possible
+to deploy a system in which the application in which <ph conref="../conrefs.dita#prod/productshortname"></ph> is
+embedded, not <ph conref="../conrefs.dita#prod/productshortname"></ph>, handles
+the user authentication by connecting to an external directory service. The
+application can be a single-user application with an embedded
+<ph conref="../conrefs.dita#prod/productshortname"></ph> engine or a multi-user
+application server. The following figure shows this kind of deployment.</p>
+<fig expanse="column"><title>Application user authentication using an external
+service</title>
+<image href="appauth_os.gif" placement="break"><alt>This figure shows how an external directory service provides application user authentication before access to a Derby database is allowed.</alt>
+</image>
+</fig>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure42374.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure60146.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure60146.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure60146.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure60146.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure60146" xml:lang="en-us">
+<title>Booting an encrypted database</title>
+<shortdesc>If you create an encrypted database using the
+<codeph>bootPassword=<i>key</i></codeph> attribute, you must specify the boot
+password to reboot the database. If you create an encrypted database using the
+<codeph>encryptionKey=<i>key</i></codeph> attribute, you must specify the
+encryption key to reboot the database.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>encrypted databases<indexterm>booting</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p>Encrypted databases cannot be booted automatically along with all other
+system databases on system startup (see "<codeph>derby.system.bootAll</codeph>"
+in the <ph conref="../conrefs.dita#pub/citref"></ph>). Instead, you boot an
+encrypted database when you first connect to the database.</p>
+<p><dl><dlentry>
+<dt>Booting a database with the <codeph>bootPassword=<i>key</i></codeph>
+attribute</dt>
+<dd>To access an encrypted database called <codeph>wombat</codeph> that was
+created with the boot password <codeph>clo760uds2caPe</codeph>, use the
+following connection URL:
+<codeblock>jdbc:derby:wombat;bootPassword=clo760uds2caPe</codeblock></dd>
+</dlentry><dlentry>
+<dt>Booting a database with the <codeph>encryptionKey=<i>key</i></codeph>
+attribute</dt>
+<dd>To access an encrypted database called <codeph>flintstone</codeph> that
+was created with the attributes
+<codeph>encryptionKey=c566bab9ee8b62a5ddb4d9229224c678</codeph> and
+<codeph>encryptionAlgorithm=AES/CBC/NoPadding</codeph>, use the following
+connection URL:
+<codeblock>jdbc:derby:flintstone;encryptionKey=c566bab9ee8b62a5ddb4d9229224c678</codeblock></dd>
+</dlentry></dl></p>
+<p>After the database is booted, all connections can access the database without
+the boot password. Only a connection that boots the database requires the
+key.</p>
+<p>For example, the following connections would boot the database and require
+the boot password or encryption key, depending on what mechanism was used to
+encrypt the database originally:<ul>
+<li>The first connection to the database in the JVM session</li>
+<li>The first connection to the database after the database has been explicitly
+shut down</li>
+<li>The first connection to the database after the system has been shut down and
+then rebooted</li>
+</ul></p>
+<note>The boot password and the encryption key are not meant to prevent
+unauthorized connections to the database after the database is booted. To
+protect a database after it has been booted, turn on user authentication (see
+<xref href="cseccsecure42374.dita"/>).</note>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure60146.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure67151.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure67151.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure67151.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure67151.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure67151" xml:lang="en-us">
+<title>Specifying an alternate encryption algorithm</title>
+<shortdesc><ph conref="../conrefs.dita#prod/productshortname"></ph> supports
+the following encryption algorithms.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>Encryption algorithms<indexterm>configuring</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<ul>
+<li>DES (the default)</li>
+<li>DESede (also known as triple DES)</li>
+<li>Any encryption algorithm that fulfills the following requirements:
+<ul>
+<li>It is symmetric</li>
+<li>It is a block cipher, with a block size of 8 bytes</li>
+<li>It uses the <codeph>NoPadding</codeph> padding scheme</li>
+<li>Its secret key can be represented as an arbitrary byte array</li>
+<li>It requires exactly one initialization parameter, an initialization vector
+of type <codeph>javax.crypto.spec.IvParameterSpec</codeph></li>
+<li>It can use <codeph>javax.crypto.spec.SecretKeySpec</codeph> to represent its
+key</li>
+</ul>
+<p>For example, the algorithm <codeph>Blowfish</codeph> implemented in the
+Java Cryptography Extension (JCE) packages (<codeph>javax.crypto.*</codeph>)
+fulfills these requirements.</p></li>
+</ul>
+<p>By Java convention, an encryption algorithm is specified like this:</p>
+<codeblock><b><i>algorithmName</i>/<i>feedbackMode</i>/<i>padding</i></b></codeblock>
+<p>The only feedback modes allowed are:</p>
+<ul>
+<li>CBC</li>
+<li>CFB</li>
+<li>ECB</li>
+<li>OFB</li>
+</ul>
+<p>The only padding mode allowed is <codeph>NoPadding</codeph>.</p>
+<p>By default, <ph conref="../conrefs.dita#prod/productshortname"></ph> uses
+the DES algorithm of <codeph>DES/CBC/NoPadding</codeph>.</p>
+<p>To specify an alternate encryption algorithm when you create a database, use
+the <codeph>encryptionAlgorithm=<i>algorithm</i></codeph> attribute. If the
+algorithm you specify is not supported by the provider you have specified,
+<ph conref="../conrefs.dita#prod/productshortname"></ph> throws an
+exception.</p>
+<p>To specify the AES encryption algorithm with a key length other than the
+default of 128, specify the <codeph>encryptionKeyLength=<i>length</i></codeph>
+attribute. For example, you might specify the following connection
+attributes:</p>
+<codeblock>jdbc:derby:encdbcbc_192;create=true;dataEncryption=true;
+encryptionKeyLength=192;encryptionAlgorithm=AES/CBC/NoPadding;
+bootPassword=Thursday</codeblock>
+<p>To use the AES algorithm with a key length of 192 or 256, you must use 
+unrestricted policy jar files for your JRE. You can obtain these files from your
+Java provider. They might have a name like "Java Cryptography Extension (JCE)
+Unlimited Strength Jurisdiction Policy Files." If you specify a non-default key
+length using the default policy jar files, a Java exception occurs.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure67151.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure79358.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure79358.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure79358.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure79358.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure79358" xml:lang="en-us">
+<title>Programming applications for
+<ph conref="../conrefs.dita#prod/productshortname"></ph> user
+authentication</title>
+<shortdesc>To program user authentication into
+<ph conref="../conrefs.dita#prod/productshortname"></ph>
+applications, use the <codeph>DriverManager.getConnection</codeph> call to
+specify the user name and password.</shortdesc>
+<prolog><metadata>
+<keywords><indexterm>user authentication<indexterm>programming applications
+for</indexterm></indexterm>
+<indexterm>user names<indexterm>providing</indexterm></indexterm>
+<indexterm>passwords<indexterm>providing</indexterm></indexterm>
+<indexterm>passwords<indexterm>no encryption of</indexterm></indexterm></keywords>
+</metadata></prolog>
+<conbody>
+<section><p>An application can provide the user name and password in the
+following ways.</p>
+<ul>
+<li>Separately, as arguments to the following signature of the method:
+<codeph>getConnection(String url, String user, String password)</codeph>
+<codeblock>Connection conn = DriverManager.getConnection(
+    "jdbc:derby:myDB", "mary", "little7xylamb");</codeblock></li>
+<li>As attributes to the database connection URL:
+<codeblock>Connection conn = DriverManager.getConnection(
+    "jdbc:derby:myDB;user=mary;password=little7xylamb");</codeblock></li>
+<li>By setting the <codeph>user</codeph> and <codeph>password</codeph>
+properties in a <codeph>Properties</codeph> object as with other connection URL
+attributes:
+<codeblock>Properties p = new Properties();
+p.put("user", "mary");
+p.put("password", "little7xylamb");
+Connection conn = DriverManager.getConnection(
+    "jdbc:derby:myDB", p);</codeblock></li>
+</ul>
+<note>The password is not encrypted. When you are using
+<ph conref="../conrefs.dita#prod/productshortname"></ph> in the context of a
+server framework, the framework should be responsible for encrypting the
+password across the network. If your framework does not encrypt the password, it
+is strongly recommended that you protect network connections with
+SSL/TLS (see <xref href="csecssl.dita"/>).</note>
+<p>For information about the treatment of user names within the <ph
+conref="../conrefs.dita#prod/productshortname"></ph> system, see
+<xref href="cseccsecure37241.dita"/>.</p>
+</section>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure79358.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure863446.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure863446.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure863446.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure863446.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure863446" xml:lang="en-us">
+<title>Setting up <ph conref="../conrefs.dita#prod/productshortname"></ph> to
+use your LDAP directory service</title>
+<shortdesc>When specifying LDAP as your authentication service, you must specify
+what LDAP server to use.</shortdesc>
+<prolog></prolog>
+<conbody>
+<p>To connect to the OpenDS LDAP server, add the following lines to your
+<ph conref="../conrefs.dita#prod/productshortname"></ph> configuration file,
+<codeph>derby.properties</codeph>. You may also want to store these properties
+in your database and lock them down by setting the
+<codeph>derby.database.propertiesOnly</codeph> property (see
+<xref href="csecauthorcoarse.dita"/> for an example of how to lock down
+database properties):</p>
+<codeblock>derby.connection.requireAuthentication=true
+derby.authentication.server=ldap://127.0.0.1:1389
+derby.authentication.provider=LDAP
+derby.authentication.ldap.searchAuthPW=<i>YOUR_SELECTED_PASSWORD</i>
+derby.authentication.ldap.searchAuthDN=cn=Directory Manager
+derby.authentication.ldap.searchBase=dc=example,dc=com
+derby.authentication.ldap.searchFilter=objectClass=person</codeblock>
+<p>Finally, start <codeph>ij</codeph> in the directory where you created your
+<codeph>derby.properties</codeph> (this ensures that embedded
+<ph conref="../conrefs.dita#prod/productshortname"></ph> will come up with the
+authentication settings listed above). Run the following commands:</p>
+<codeblock><b>java org.apache.derby.tools.ij</b>
+ij version 10.11
+ij> <b>connect 'jdbc:derby:testdb;create=true;user=tquist;password=tquist';</b></codeblock>
+<p>Verify that authentication works by trying to connect again, this time with
+bad credentials:</p>
+<codeblock><b>java org.apache.derby.tools.ij</b>
+ij version 10.11
+ij> <b>connect 'jdbc:derby:testdb;create=true;user=tquist;password=badpassword';</b>
+ERROR 08004: Connection authentication failure occurred. Reason: Invalid authentication...</codeblock>
+<p>When you set the property <codeph>derby.authentication.server</codeph>, you
+can specify the LDAP server using just the server name, the server name and its
+port number separated by a colon, or an <codeph>ldap</codeph> URL as shown in
+the example. If you do not provide a full URL,
+<ph conref="../conrefs.dita#prod/productshortname"></ph> will by default use
+unencrypted LDAP. To use SSL encrypted LDAP, specify a URL that starts with
+<codeph>ldaps://</codeph>. For details on the
+<codeph>derby.authentication.server</codeph> and
+<codeph>derby.authentication.provider</codeph> properties, see the
+<ph conref="../conrefs.dita#pub/citref"></ph>.</p>
+<p><note>If you run Java DB under a Java security manager, your policy file will
+need to grant <ph conref="../conrefs.dita#prod/productshortname"></ph> the
+privilege to connect to the LDAP server. To see how to do this, consult the 
+policy file shown in <xref href="rsecpolicysample.dita"/>.
+Specifically, you will need to grant <codeph>java.net.SocketPermission</codeph>
+to <codeph>derby.jar</codeph>, so that the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> code is allowed to
+contact the LDAP server to perform the authentication. See 
+<xref href="csecembeddedperms.dita#csecembeddedperms"/> for more
+information.</note></p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure863446.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure863546.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure863546.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure863546.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure863546.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure863546" xml:lang="en-us">
+<title>LDAP performance issues</title>
+<shortdesc>For performance reasons, the LDAP directory server should be in
+the same LAN as <ph conref="../conrefs.dita#prod/productshortname"></ph>. <ph
+conref="../conrefs.dita#prod/productshortname"></ph> does not cache the user's
+credential information locally and thus must connect to the directory server
+every time a user connects.</shortdesc>
+<prolog></prolog>
+<conbody>
+<p>Connection requests that provide the full DN are faster than those that
+must search for the full DN.</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure863546.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure863676.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure863676.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure863676.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure863676.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure863676" xml:lang="en-us">
+<title>LDAP restrictions</title>
+<shortdesc><ph conref="../conrefs.dita#prod/productshortname"></ph> does not
+support LDAP groups.</shortdesc>
+<prolog></prolog>
+<conbody></conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure863676.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure864242.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure864242.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure864242.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure864242.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="utf-8"?>
+ 
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure864242" xml:lang="en-us">
+<title>JNDI-specific properties for external directory services</title>
+<shortdesc><ph conref="../conrefs.dita#prod/productshortname"></ph> allows you
+to set a few advanced JNDI properties, which you can set in any of the supported
+ways of setting <ph conref="../conrefs.dita#prod/productshortname"></ph>
+properties. Typically you would set these at the same level (database or system)
+for which you configured the external authentication service.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>JNDI properties<indexterm>setting</indexterm></indexterm>
+<indexterm>user authentication<indexterm>JNDI properties, setting</indexterm></indexterm>
+<indexterm>external authentication<indexterm>JNDI properties, setting</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p>The list of supported properties can be found in "Appendix A: JNDI Standard
+Environment Properties" in the Java Naming and Directory API at 
+<xref format="html" 
+href="http://docs.oracle.com/javase/1.5.0/docs/guide/jndi/spec/jndi/properties.html"
+scope="external"/>. The external directory service must support the
+property.</p>
+<p>Each JNDI provider has its set of properties that you can set within the <ph
+conref="../conrefs.dita#prod/productshortname"></ph> system.</p>
+<p>For example, you can set the property
+<codeph>java.naming.security.authentication</codeph> to allow user credentials
+to be encrypted on the network if the provider supports it. You can also specify
+that SSL be used with LDAP (LDAPS).</p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure864242.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure865580.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure865580.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure865580.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure865580.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure865580" xml:lang="en-us">
+<title>User names and schemas</title>
+<shortdesc>User names can affect a user's default schema.</shortdesc>
+<prolog></prolog>
+<conbody>
+<p>For information about user names and schemas, see "SET SCHEMA statement"
+in the <cite><ph conref="../conrefs.dita#pub/citref"></ph></cite><cite>.</cite></p>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure865580.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/cseccsecure865818.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/cseccsecure865818.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/cseccsecure865818.dita (added)
+++ db/derby/docs/trunk/src/security/cseccsecure865818.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8"?>
+ 
+<!DOCTYPE concept PUBLIC "-//OASIS//DTD DITA Concept//EN"
+ "../dtd/concept.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<concept id="cseccsecure865818" xml:lang="en-us">
+<title>Setting the default connection access mode</title>
+<shortdesc>You can use the <codeph>derby.database.defaultConnectionMode</codeph>
+property to specify the default type of access that users have when they connect
+to the database.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>databases<indexterm>controlling access to</indexterm></indexterm>
+<indexterm>derby.database.ConnectionMode property</indexterm>
+<indexterm><indexterm>properties</indexterm>defaultConnectionMode</indexterm>
+</keywords>
+</metadata></prolog>
+<conbody>
+<p>The valid settings for the
+<codeph>derby.database.defaultConnectionMode</codeph> property are:<ul>
+<li><codeph>noAccess</codeph></li>
+<li><codeph>readOnlyAccess</codeph></li>
+<li><codeph>fullAccess</codeph></li>
+</ul></p>
+<p>If you do not specify a setting for the
+<codeph>derby.database.defaultConnectionMode</codeph> property, the default
+access setting is <codeph>fullAccess</codeph>.</p>
+<p>To set the default connection access mode, specify the access in a CALL
+statement. For example:</p>
+<p>To specify read-write access for the System Administrator user ID
+<codeph>sa</codeph> and read-only access as the default for anyone else who
+connects to the database, issue these CALL statements:
+<codeblock>CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
+    'derby.database.fullAccessUsers', 'sa')
+
+CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
+    'derby.database.defaultConnectionMode',
+    'readOnlyAccess')
+</codeblock></p>
+<p>To specify read-write access for the user ID Fred and no access for other
+users, issue these CALL statements:</p>
+<codeblock>CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
+    'derby.database.fullAccessUsers', 'Fred')
+
+CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
+    'derby.database.defaultConnectionMode',
+    'noAccess')
+</codeblock>
+</conbody>
+</concept>

Propchange: db/derby/docs/trunk/src/security/cseccsecure865818.dita
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message