db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chaa...@apache.org
Subject svn commit: r1596037 [9/13] - in /db/derby/docs/trunk: ./ src/security/
Date Mon, 19 May 2014 20:09:36 GMT
Added: db/derby/docs/trunk/src/security/rsecexudclass.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsecexudclass.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsecexudclass.dita (added)
+++ db/derby/docs/trunk/src/security/rsecexudclass.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+ 
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<reference id="rsecexudclass" xml:lang="en-us">
+<title>Example of setting a user-defined class</title>
+<shortdesc>This is a very simple example of a class that implements the
+<codeph>org.apache.derby.authentication.UserAuthenticator </codeph>
+interface.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>user-defined classes<indexterm>setting</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<refbody>
+<example> <codeblock>import org.apache.derby.authentication.UserAuthenticator;
+import java.io.FileInputStream;
+import java.util.Properties;
+import java.sql.SQLException;
+<b>/**
+  * A simple example of a specialized Authentication scheme.
+  * The system property 'derby.connection.requireAuthentication'
+  * must be set to true, and 'derby.authentication.provider' must
+  * contain the full class name of the overridden authentication
+  * scheme, (that is, the name of this class).
+  *
+  * @see org.apache.derby.authentication.UserAuthenticator 
+  */</b>
+public class MyAuthenticationSchemeImpl implements
+        UserAuthenticator {
+    private static final String USERS_CONFIG_FILE = "myUsers.cfg";
+    private static Properties usersConfig;
+
+   <b> // Constructor
+    // We get passed some Users properties if the 
+    // authentication service could not set them as 
+    // part of the System properties.
+    //</b>
+    public MyAuthenticationSchemeImpl() {
+    }
+
+<b>    /* Static block where we load the users definition from a
+       users configuration file. */</b>
+    static {
+<b>        /* Load users config file as Java properties.
+           File must be in the same directory where
+           <ph conref="../conrefs.dita#prod/productshortname"></ph> is started.
+           Otherwise, full path must be specified. */</b>
+        FileInputStream in = null;
+        usersConfig = new Properties();
+        try {
+            in = new FileInputStream(USERS_CONFIG_FILE);
+            usersConfig.load(in);
+            in.close();
+        } catch (java.io.IOException ie) {
+            <b>// No Config file. Raise error message</b>
+            System.err.println(
+                "WARNING: Error during Users Config file retrieval");
+            System.err.println("Exception: " + ie);
+        }
+    }
+
+<b>    /**
+     * Authenticate the passed-in user's credentials.
+     * A more complex class could make calls
+     * to any external users directory.
+     *
+     * @param userName               The user's name
+     * @param userPassword           The user's password 
+     * @param databaseName           The database 
+     * @param info                   Additional jdbc connection info.
+     * @exception SQLException on failure
+     */</b>
+    public boolean authenticateUser(String userName,
+            String userPassword,
+            String databaseName,
+            Properties info)
+        throws SQLException {
+<b>        /* Specific Authentication scheme logic.
+           If user has been authenticated, then simply return.
+           If user name and/or password are invalid, 
+           then raise the appropriate exception.
+            
+           This example allows only users defined in the
+           users config properties object.
+
+           Check if the passed-in user has been defined for the system.
+           We expect to find and match the property corresponding to
+           the credentials passed in. */</b>
+        if (userName == null)
+           <b> // We do not tolerate 'guest' user for now.</b>
+            return false;
+<b>
+        /* Check if user exists in our users config (file)
+           properties set.
+           If we did not find the user in the users config set, then
+           try to find if the user is defined as a System property. */</b>
+        String actualUserPassword;
+        actualUserPassword = usersConfig.getProperty(userName);
+        if (actualUserPassword == null)
+            actualUserPassword = System.getProperty(userName);
+        if (actualUserPassword == null)
+            <b>// No such passed-in user found</b>
+            return false;
+        <b>// Check if the password matches</b>
+        if (!actualUserPassword.equals(userPassword))
+            return false;
+        <b>// Now, check if the user is a valid user of the database</b>
+        if (databaseName != null) {
+         <b>/* If database users restriction lists are present, then 
+            check if there is one for this database and if so, 
+            check if the user is a valid one for that database.
+            For this example, the only user we authorize in database
+            DarkSide is user 'DarthVader'. This is the only database
+            users restriction list we have for this example.
+            We authorize any valid (login) user to access the
+            OTHER databases in the system.
+            Note that database users ACLs could be set in the same
+            properties file or a separate one and implemented as you
+            wish. */</b>
+            if (databaseName.equals("DarkSide")) {
+                <b>// Check if user is a valid one</b>
+                if (!userName.equals("DarthVader"))
+                    <b>// This user is not a valid one of the passed-in</b>
+                    return false;
+            }
+        }
+        <b>// The user is a valid one in this database</b>
+        return true;
+    }
+}</codeblock></example>
+</refbody>
+</reference>

Propchange: db/derby/docs/trunk/src/security/rsecexudclass.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/rseclicense.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rseclicense.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rseclicense.dita (added)
+++ db/derby/docs/trunk/src/security/rseclicense.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,247 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!--##### DO NOT CHANGE ANYTHING ABOVE THIS LINE #####-->
+<reference id="rseclicense" xml:lang="en-us">
+<title>License</title>
+<shortdesc></shortdesc>
+<prolog><metadata>
+<keywords><indexterm>Apache<indexterm>license</indexterm></indexterm></keywords>
+</metadata></prolog>
+<refbody>
+<section><title>The Apache License, Version 2.0</title>
+<codeblock>
+                               Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use,
+      reproduction, and distribution as defined by Sections 1 through
+      9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized
+      by the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under
+      common control with that entity. For the purposes of this
+      definition, "control" means (i) the power, direct or indirect,
+      to cause the direction or management of such entity, whether by
+      contract or otherwise, or (ii) ownership of fifty percent (50%)
+      or more of the outstanding shares, or (iii) beneficial ownership
+      of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making
+      modifications, including but not limited to software source code,
+      documentation source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or
+      Object form, that is based on (or derived from) the Work and
+      for which the editorial revisions, annotations, elaborations,
+      or other modifications represent, as a whole, an original work
+      of authorship.  For the purposes of this License, Derivative
+      Works shall not include works that remain separable from, or
+      merely link (or bind by name) to the interfaces of, the Work
+      and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or
+      additions to that Work or Derivative Works thereof, that is
+      intentionally submitted to Licensor for inclusion in the Work
+      by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the
+      purposes of this definition,
+      "submitted" means any form of electronic, verbal, or written
+      communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing
+      lists, source code control systems, and issue tracking systems
+      that are managed by, or on behalf of, the Licensor for the
+      purpose of discussing and improving the Work, but excluding
+      communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a
+      Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal
+      Entity on behalf of whom a Contribution has been received by
+      Licensor and subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions
+      of this License, each Contributor hereby grants to You a
+      perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+      irrevocable copyright license to reproduce, prepare Derivative
+      Works of, publicly display, publicly perform, sublicense, and
+      distribute the Work and such Derivative Works in Source or
+      Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have
+      made, use, offer to sell, sell, import, and otherwise transfer
+      the Work, where such license applies only to those patent claims
+      licensable by such Contributor that are necessarily infringed by
+      their Contribution(s) alone or by combination of their
+      Contribution(s) with the Work to which such Contribution(s) was
+      submitted. If You institute patent litigation against any entity
+      (including a cross-claim or counterclaim in a lawsuit) alleging
+      that the Work or a Contribution incorporated within the Work
+      constitutes direct or contributory patent infringement, then any
+      patent licenses granted to You under this License for that Work
+      shall terminate as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute
+          must include a readable copy of the attribution notices
+          contained within such NOTICE file, excluding those notices
+          that do not pertain to any part of the Derivative Works, in
+          at least one of the following places: within a NOTICE text
+          file distributed as part of the Derivative Works; within the
+          Source form or documentation, if provided along with the
+          Derivative Works; or, within a display generated by the
+          Derivative Works, if and wherever such third-party notices
+          normally appear. The contents of the NOTICE file are for
+          informational purposes only and do not modify the License.
+          You may add Your own attribution notices within Derivative
+          Works that You distribute, alongside or as an addendum to
+          the NOTICE text from the Work, provided that such additional
+          attribution notices cannot be construed as modifying the
+          License.
+
+      You may add Your own copyright statement to Your modifications
+      and may provide additional or different license terms and
+      conditions for use, reproduction, or distribution of Your
+      modifications, or for any such Derivative Works as a whole,
+      provided Your use, reproduction, and distribution of the Work
+      otherwise complies with the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state
+      otherwise, any Contribution intentionally submitted for
+      inclusion in the Work by You to the Licensor shall be under the
+      terms and conditions of this License, without any additional
+      terms or conditions.  Notwithstanding the above, nothing herein
+      shall supersede or modify the terms of any separate license
+      agreement you may have executed with Licensor regarding such
+      Contributions.
+
+   6. Trademarks. This License does not grant permission to use the
+      trade names, trademarks, service marks, or product names of the
+      Licensor, except as required for reasonable and customary use
+      in describing the origin of the Work and reproducing the content
+      of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or
+      conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or
+      FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for
+      determining the appropriateness of using or redistributing the
+      Work and assume any risks associated with Your exercise of
+      permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and
+      grossly negligent acts) or agreed to in writing, shall any
+      Contributor be liable to You for damages, including any direct,
+      indirect, special, incidental, or consequential damages of any
+      character arising as a result of this License or out of the use
+      or inability to use the Work (including but not limited to
+      damages for loss of goodwill, work stoppage, computer failure or
+      malfunction, or any and all other commercial damages or losses),
+      even if such Contributor has been advised of the possibility of
+      such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by
+      reason of your accepting any such warranty or additional
+      liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied.  See the License for the specific language governing
+   permissions and limitations under the License.
+</codeblock>
+</section>
+</refbody>
+</reference>

Propchange: db/derby/docs/trunk/src/security/rseclicense.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/rsecnetservbasic.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsecnetservbasic.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsecnetservbasic.dita (added)
+++ db/derby/docs/trunk/src/security/rsecnetservbasic.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<reference id="rsecnetservbasic" xml:lang="en-us">
+<title>Basic security policy template</title>
+<shortdesc>If you start the Network Server without specifying a security
+manager, the Network Server will install a default Java security manager that
+enforces a basic policy.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>Network Server<indexterm>basic policy</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<refbody>
+<section>
+<p> Note that the Network Server attempts to install a security manager only if
+you boot the server as the entry point of your VM. The Network Server will not
+attempt to install a security manager if you start the server from your
+application using the programmatic API described in
+"Starting the Network Server from a Java application" in the
+<ph conref="../conrefs.dita#pub/citadmin"></ph>.</p>
+<p>The following is a copy of the basic policy:</p>
+<codeblock>// This template policy file gives examples of how to configure the
+// permissions needed to run a <ph conref="../conrefs.dita#prod/productshortname"></ph> network server with the Java
+// Security manager.
+//
+grant codeBase "${derby.install.url}derby.jar"
+{
+  // These permissions are needed for everyday, embedded <ph conref="../conrefs.dita#prod/productshortname"></ph> usage.
+  //
+  permission java.lang.RuntimePermission "createClassLoader";
+  permission java.util.PropertyPermission "derby.*", "read";
+  permission java.util.PropertyPermission "user.dir", "read";
+
+  // The next two properties are used to determine if the VM is 32 or 64
+  // bit.
+  //
+  permission java.util.PropertyPermission "sun.arch.data.model", "read";
+  permission java.util.PropertyPermission "os.arch", "read";
+
+  permission java.io.FilePermission "${derby.system.home}","read";
+  permission java.io.FilePermission "${derby.system.home}${/}-", 
+      "read,write,delete";
+
+  // This permission lets a DBA reload the policy file while the server
+  // is still running. The policy file is reloaded by invoking the
+  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
+  //
+  permission java.security.SecurityPermission "getPolicy";
+
+  // This permission lets you backup and restore databases
+  // to and from arbitrary locations in your file system.
+  //
+  // This permission also lets you import/export data to and from
+  // arbitrary locations in your file system.
+  //
+  // You may want to restrict this access to specific directories.
+  //
+  permission java.io.FilePermission "&lt;&lt;ALL FILES&gt;&gt;",
+      "read,write,delete";
+
+  // Permissions needed for JMX based management and monitoring.
+  //
+  // Allows this code to create an MBeanServer:
+  //
+  permission javax.management.MBeanServerPermission "createMBeanServer";
+  //
+  // Allows access to <ph conref="../conrefs.dita#prod/productshortname"></ph>'s built-in MBeans, within the domain
+  // org.apache.derby.
+  // <ph conref="../conrefs.dita#prod/productshortname"></ph> must be allowed to register and unregister these MBeans.
+  // It is possible to allow access only to specific MBeans, attributes 
+  // or operations. To fine tune this permission, see the javadoc of 
+  // javax.management.MBeanPermission or the JMX Instrumentation and 
+  // Agent Specification. 
+  //
+  permission javax.management.MBeanPermission 
+      "org.apache.derby.*#[org.apache.derby:*]",
+      "registerMBean,unregisterMBean";
+  //
+  // Trusts <ph conref="../conrefs.dita#prod/productshortname"></ph> code to be a source of MBeans and to register these in
+  // the MBean server.
+  //
+  permission javax.management.MBeanTrustPermission "register";
+
+  // getProtectionDomain is an optional permission needed for printing
+  // classpath information to derby.log
+  //
+  permission java.lang.RuntimePermission "getProtectionDomain";
+
+  // The following permission must be granted for
+  // Connection.abort(Executor) to work. Note that this permission
+  // must also be granted to outer (application) code domains.
+  //
+  permission java.sql.SQLPermission "callAbort";
+
+  // Needed by file permissions restriction system:
+  //
+  permission java.lang.RuntimePermission "accessUserInformation";
+  permission java.lang.RuntimePermission "getFileStoreAttributes";
+};
+
+grant codeBase "${derby.install.url}derbynet.jar"
+{
+  // This permission lets the Network Server manage connections from
+  // clients.
+
+  // Accept connections from any host. <ph conref="../conrefs.dita#prod/productshortname"></ph> is listening to the host
+  // interface specified via the -h option to "NetworkServerControl
+  // start" on the command line, via the address parameter to the
+  // org.apache.derby.drda.NetworkServerControl constructor in the API
+  // or via the property derby.drda.host; the default is localhost.
+  // You may want to restrict allowed hosts, e.g. to hosts in a specific
+  // subdomain, e.g. "*.example.com".
+  //
+  permission java.net.SocketPermission "*", "accept"; 
+
+  // Allow the server to listen to the socket on the default port (1527).
+  // If you have specified another port number with the -p option to
+  // "NetworkServerControl start" on the command line, or with the
+  // portNumber parameter to the NetworkServerControl constructor in the
+  // API, or with the property derby.drda.portNumber, you should change
+  // the port number in the permission statement accordingly.
+  //
+  permission java.net.SocketPermission "localhost:1527", "listen";
+
+  // Needed for server tracing.
+  //
+  permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
+      "read,write,delete";
+
+  // Needed by file permissions restriction system:
+  //
+  permission java.lang.RuntimePermission "accessUserInformation";
+  permission java.lang.RuntimePermission "getFileStoreAttributes";
+  permission java.util.PropertyPermission 
+      "derby.__serverStartedFromCmdLine", "read, write";
+
+  // JMX: Uncomment this permission to allow the ping operation of the 
+  //      NetworkServerMBean to connect to the Network Server.
+  //
+  //permission java.net.SocketPermission "*", "connect,resolve";
+
+  // Needed by sysinfo. The file permission is needed to
+  // check the existence of jars on the classpath. You can
+  // limit this permission to just the locations which hold
+  // your jar files.
+  //
+  // In this template file, this block of permissions is granted
+  // to derbynet.jar under the assumption that derbynet.jar is
+  // the first jar file in your classpath which contains the
+  // sysinfo classes. If that is not the case, then you will want
+  // to grant this block of permissions to the first jar file
+  // in your classpath which contains the sysinfo classes.
+  // Those classes are bundled into the following <ph conref="../conrefs.dita#prod/productshortname"></ph>
+  // jar files:
+  //
+  //    derbynet.jar
+  //    derby.jar
+  //    derbyclient.jar
+  //    derbytools.jar
+  //
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.util.PropertyPermission "java.runtime.version", "read";
+  permission java.util.PropertyPermission "java.fullversion", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "&lt;&lt;ALL FILES&gt;&gt;", "read";
+  permission java.io.FilePermission "java.runtime.version", "read";
+  permission java.io.FilePermission "java.fullversion", "read";
+};</codeblock>
+</section>
+</refbody>
+</reference>

Propchange: db/derby/docs/trunk/src/security/rsecnetservbasic.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/rsecpolicysample.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsecpolicysample.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsecpolicysample.dita (added)
+++ db/derby/docs/trunk/src/security/rsecpolicysample.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="utf-8"?>
+ 
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!-- 
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<reference id="rsecpolicysample" xml:lang="en-us">
+<title>Sample customized Java security policy file</title>
+<shortdesc>Here is a sample customized Java security policy file.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>Java security<indexterm>policy file sample</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<refbody>
+<section>
+<codeblock>grant codeBase "file:///Users/me/javadb/lib/derby.jar"
+{
+  //
+  // These permissions are needed for everyday, embedded Derby usage.
+  //
+  permission java.lang.RuntimePermission "createClassLoader";
+  permission java.util.PropertyPermission "derby.*", "read";
+  permission java.util.PropertyPermission "user.dir", "read";
+  permission java.util.PropertyPermission "derby.storage.jvmInstanceId", 
+      "write"; 
+  // The next two properties are used to determine if the VM is 32-bit
+  // or 64-bit.
+  permission java.util.PropertyPermission "sun.arch.data.model", "read";
+  permission java.util.PropertyPermission "os.arch", "read";
+  permission java.io.FilePermission "/Users/me/derby/dummy","read";
+  permission java.io.FilePermission "/Users/me/derby/dummy${/}-", 
+      "read,write,delete";
+
+  //
+  // This permission lets a DBA reload the policy file while the server
+  // is still running. The policy file is reloaded by invoking the
+  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
+  //
+  permission java.security.SecurityPermission "getPolicy";
+
+  //
+  // This permission lets you back up and restore databases
+  // to and from arbitrary locations in your file system.
+  //
+  // This permission also lets you import/export data to and from
+  // arbitrary locations in your file system.
+  //
+  // You may want to restrict this access to specific directories.
+  //
+  permission java.io.FilePermission "/Users/me/derby/dummy/backups/-", 
+      "read,write,delete";
+  // imports/exports
+  permission java.io.FilePermission "/Users/me/derby/dummy/imports/-",
+      "read,write,delete";
+  // jar files of user-written functions and procedures
+  permission java.io.FilePermission "/Users/me/derby/dummy/jars/-",
+      "read,write,delete";
+
+  //
+  // Permissions needed for JMX based management and monitoring, which is
+  // available only for JVMs that support "platform management", that is,
+  // Java SE 5.0 or above.
+  //
+  // Allows this code to create an MBeanServer:
+  //
+  permission javax.management.MBeanServerPermission "createMBeanServer";
+  //
+  // Allows access to Derby's built-in MBeans, within the domain
+  // org.apache.derby. Derby must be allowed to register and unregister
+  // these MBeans. It is possible to allow access only to specific
+  // MBeans,   // attributes, or operations. To fine-tune this
+  // permission, see the API documentation of
+  // javax.management.MBeanPermission or the JMX Instrumentation and
+  // Agent Specification. 
+  //
+  permission javax.management.MBeanPermission 
+      "org.apache.derby.*#[org.apache.derby:*]",
+      "registerMBean,unregisterMBean";
+  //
+  // Trusts Derby code to be a source of MBeans and to register these in
+  // the MBean server.
+  //
+  permission javax.management.MBeanTrustPermission "register";
+
+  // getProtectionDomain is an optional permission needed for printing
+  // classpath information to derby.log.
+  permission java.lang.RuntimePermission "getProtectionDomain";
+
+  //
+  // The following permission must be granted for
+  // Connection.abort(Executor) to work. Note that this permission must
+  // also be granted to outer (application) code domains.
+  //
+  permission java.sql.SQLPermission "callAbort";
+
+  // Needed by file permissions restriction system.
+  permission java.lang.RuntimePermission "accessUserInformation";
+  permission java.lang.RuntimePermission "getFileStoreAttributes";
+
+  // This permission is needed to connect to the LDAP server in order
+  // to authenticate users.
+  // permission java.net.SocketPermission "127.0.0.1:1389", 
+  //    "accept,connect,resolve";
+};
+
+grant codeBase "file:///Users/me/javadb/lib/derbynet.jar"
+{
+  //
+  // This permission lets the Network Server manage connections from
+  // clients.
+  //
+
+  // Accept connections from any host. Derby is listening to the host
+  // interface specified via the -h option to "NetworkServerControl
+  // start" on the command line, via the address parameter to the
+  // org.apache.derby.drda.NetworkServerControl constructor in the API
+  // or via the property derby.drda.host; the default is localhost.
+  // You may want to restrict allowed hosts, e.g. to hosts in a specific
+  // subdomain, e.g. "*.example.com".
+  permission java.net.SocketPermission "localhost:0-", "accept";
+
+  //
+  // Needed for server tracing.
+  //
+  permission java.io.FilePermission "/Users/me/derby/dummy/traces${/}-", 
+      "read,write,delete";
+
+  // Needed by file permissions restriction system.
+  permission java.lang.RuntimePermission "accessUserInformation";
+  permission java.lang.RuntimePermission "getFileStoreAttributes";
+  permission java.util.PropertyPermission 
+      "derby.__serverStartedFromCmdLine", "read, write";
+
+  //
+  // JMX: Uncomment this permission to allow the ping operation of the 
+  //      NetworkServerMBean to connect to the Network Server.
+  //permission java.net.SocketPermission "*", "connect,resolve";
+
+  //
+  // Needed by sysinfo. The file permission is needed to check the
+  // existence of jars on the classpath. You can limit this permission to
+  // just the locations that hold your jar files.
+  //
+  // In this template file, this block of permissions is granted to
+  // derbynet.jar under the assumption that derbynet.jar is the first jar
+  // file in your classpath that contains the sysinfo classes. If that is
+  // not the case, then you will want to grant this block of permissions
+  // to the first jar file in your classpath that contains the sysinfo
+  // classes. Those classes are bundled into the following Derby jar
+  // files:
+  //
+  //    derbynet.jar
+  //    derby.jar
+  //    derbyclient.jar
+  //    derbytools.jar
+  //
+  permission java.util.PropertyPermission "user.*", "read";
+  permission java.util.PropertyPermission "java.home", "read";
+  permission java.util.PropertyPermission "java.class.path", "read";
+  permission java.util.PropertyPermission "java.runtime.version", "read";
+  permission java.util.PropertyPermission "java.fullversion", "read";
+  permission java.lang.RuntimePermission "getProtectionDomain";
+  permission java.io.FilePermission "/Users/me/javadb/lib/-", "read";
+  permission java.io.FilePermission "java.runtime.version", "read";
+  permission java.io.FilePermission "java.fullversion", "read";
+};</codeblock>
+</section>
+</refbody>
+</reference>

Propchange: db/derby/docs/trunk/src/security/rsecpolicysample.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/rsectrademderby.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsectrademderby.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsectrademderby.dita (added)
+++ db/derby/docs/trunk/src/security/rsectrademderby.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN"
+ "../dtd/topic.dtd">
+<!--  
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at      
+
+   http://www.apache.org/licenses/LICENSE-2.0  
+
+Unless required by applicable law or agreed to in writing, software  
+distributed under the License is distributed on an "AS IS" BASIS,  
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  
+See the License for the specific language governing permissions and  
+limitations under the License.
+-->
+<topic id="rsectrademderby" xml:lang="en-us">
+<title>Trademarks</title>
+<body>
+<p>The following terms are trademarks or registered trademarks of other
+companies and have been used in at least one of the documents in the
+<ph conref="../conrefs.dita#prod/productlongname"></ph> documentation
+library:</p>
+<p>Cloudscape, DB2, DB2 Universal Database, DRDA, and IBM are trademarks of
+International Business Machines Corporation in the United States, other
+countries, or both.</p>
+<p>Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
+Microsoft Corporation in the United States, other countries, or both. </p>
+<p>Oracle and Java are registered trademarks of Oracle and/or its affiliates.
+Other names may be trademarks of their respective owners.</p>
+<p>UNIX is a registered trademark of The Open Group in the United States and
+other countries.</p>
+<p>Other company, product, or service names may be trademarks or service marks
+of others.</p>
+</body>
+</topic>

Propchange: db/derby/docs/trunk/src/security/rsectrademderby.dita
------------------------------------------------------------------------------
    svn:eol-style = native

Added: db/derby/docs/trunk/src/security/secderby.ditamap
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/secderby.ditamap?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/secderby.ditamap (added)
+++ db/derby/docs/trunk/src/security/secderby.ditamap Mon May 19 20:09:33 2014
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="utf-8"?>
+ <!DOCTYPE map PUBLIC "-//OASIS//DTD DITA Map//EN" "map.dtd">
+<!-- 
+            Licensed to the Apache Software Foundation (ASF) under one
+            or more contributor license agreements.  See the NOTICE file
+            distributed with this work for additional information
+            regarding copyright ownership.  The ASF licenses this file
+            to you under the Apache License, Version 2.0 (the
+            "License"); you may not use this file except in compliance
+            with the License.  You may obtain a copy of the License at
+
+              http://www.apache.org/licenses/LICENSE-2.0
+
+            Unless required by applicable law or agreed to in writing,
+            software distributed under the License is distributed on an
+            "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+            KIND, either express or implied.  See the License for the
+            specific language governing permissions and limitations
+            under the License.
+-->
+<map xml:lang="en-us" title="Derby Security Guide">
+<topicmeta>
+<copyright>
+<copyryear year="2004, @COPYRIGHT_YEAR@"/>
+<copyrholder>Apache Software Foundation</copyrholder>
+</copyright>
+<prodinfo>
+<prodname>Derby Security Guide</prodname>
+<vrmlist><vrm version="@RELEASE_ID_SHORT@"/></vrmlist>
+<brand>Apache Derby</brand></prodinfo>
+</topicmeta>
+<topicref href="rseccopyright.dita" navtitle="Copyright"/>
+<topicref href="rseclicense.dita" navtitle="License"/>
+<topicref href="csecpref29520.dita" navtitle="About this guide">
+<topicref href="csecpref11181.dita" navtitle="Purpose of this guide"/>
+<topicref href="csecpref24290.dita" navtitle="Audience"/>
+<topicref href="csecpref23947.dita" navtitle="How this guide is organized"/>
+</topicref>
+<topicref collection-type="family" href="csecintro.dita" navtitle="Part One: Introduction to database security">
+<topicref collection-type="family" href="csecintrowhy.dita" navtitle="Why databases need security">
+<topicref href="csecintrovuln.dita" navtitle="Vulnerabilities of unsecured databases"/>
+<topicref href="csecintrothreats.dita" navtitle="Threats to unsecured databases"/>
+</topicref>
+<topicref collection-type="family" href="csecintrodefenses.dita" navtitle="Defenses against security threats">
+<topicref href="csecintroderbydefenses.dita" navtitle="Derby defenses against threats"/>
+<topicref href="csecintrootherdefenses.dita" navtitle="Defenses outside of Derby"/>
+</topicref>
+<topicref href="csecintromapping.dita" navtitle="Defenses mapped to threats"/>
+<topicref href="csecintrosafer.dita" navtitle="Designing safer Derby applications"/>
+<topicref href="csecterms.dita" navtitle="Security terminology"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecuree.dita" navtitle="Part Two: Configuring security for Derby">
+<topicref collection-type="family" href="cseccsecure12392.dita" navtitle="Basic security configuration tasks">
+<topicref href="tseccsecure81850.dita" navtitle="Configuring security in an embedded environment"/>
+<topicref href="tseccsecure82556.dita" navtitle="Configuring security in a client/server environment">
+<topicref href="csecnetservsecurity.dita" navtitle="Network Server security"/>
+</topicref>
+</topicref>
+<topicref collection-type="family" href="cseccsecure24366.dita" navtitle="Configuring database encryption">
+<topicref href="cseccsecure96815.dita" navtitle="Requirements for Derby encryption"/>
+<topicref collection-type="family" href="cseccsecure97760.dita" navtitle="Working with encryption">
+<topicref href="cseccsecure88690.dita" navtitle="Encrypting databases on creation"/>
+<topicref href="tseccsecureunencrypteddb.dita" navtitle="Encrypting an existing unencrypted database"/>
+<topicref collection-type="family" href="cseccsecure866716.dita" navtitle="Creating a boot password">
+<topicref href="cseccsecure31493.dita" navtitle="Specifying an alternate encryption provider"/>
+<topicref href="cseccsecure67151.dita" navtitle="Specifying an alternate encryption algorithm"/>
+</topicref>
+<topicref collection-type="family" href="tseccsecurenewkeyoverview.dita" navtitle="Encrypting databases with a new key">
+<topicref href="tseccsecurenewbootpw.dita" navtitle="Encrypting databases with a new boot password"/>
+<topicref href="tseccsecurenewextkey.dita" navtitle="Encrypting databases with a new external key"/>
+</topicref>
+<topicref href="cseccsecure60146.dita" navtitle="Booting an encrypted database"/>
+<topicref href="cseccsecuredecryptdb.dita" navtitle="Decrypting an encrypted database"/>
+</topicref>
+</topicref>
+<topicref href="cseccsecure90988.dita" navtitle="Using signed jar files"/>
+<topicref collection-type="family" href="csecssl.dita" navtitle="Configuring SSL/TLS">
+<topicref href="tsecsslclientkeycert.dita" navtitle="Creating a client key pair and certificate"/>
+<topicref href="tsecsslserverkeycert.dita" navtitle="Creating a server key pair and certificate"/>
+<topicref href="tsecsslimportcerts.dita" navtitle="Importing certificates"/>
+<topicref href="csecsslbootconn.dita" navtitle="Booting the server and connecting to it"/>
+<topicref href="csecsslkeys.dita" navtitle="Key and certificate handling"/>
+<topicref href="csecsslserver.dita" navtitle="Starting the server with SSL/TLS"/>
+<topicref href="csecsslclient.dita" navtitle="Running the client with SSL/TLS"/>
+<topicref href="csecssladmin.dita" navtitle="Other server commands"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecureidentity.dita" navtitle="Understanding identity in Derby">
+<topicref collection-type="family" href="cseccsecure37241.dita" navtitle="Users and authorization identifiers">
+<topicref href="cseccsecure24458.dita" navtitle="Authorization identifiers, user authentication, and user authorization"/>
+<topicref href="cseccsecure865580.dita" navtitle="User names and schemas"/>
+<topicref href="rseccsecure622.dita" navtitle="Exceptions when using authorization identifiers"/>
+</topicref>
+<topicref href="cseccsecuredbowner.dita" navtitle="Database Owner"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecure42374.dita" navtitle="Configuring user authentication">
+<topicref collection-type="family" href="cseccsecure41285.dita" navtitle="Configuring LDAP authentication">
+<topicref href="csecldapbooting.dita" navtitle="Booting an LDAP server"/>
+<topicref href="cseccsecure863446.dita" navtitle="Setting up Derby to use your LDAP directory service"/>
+<topicref href="cseccsecure876908.dita" navtitle="Guest access to search for DNs"/>
+<topicref href="cseccsecure863546.dita" navtitle="LDAP performance issues"/>
+<topicref href="cseccsecure863676.dita" navtitle="LDAP restrictions"/>
+<topicref href="cseccsecure864242.dita" navtitle="JNDI-specific properties for external directory services"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecurenativeauth.dita" navtitle="Configuring NATIVE authentication">
+<topicref href="csecnativeenable.dita" navtitle="Enabling NATIVE authentication explicitly"/>
+<topicref href="csecnativecreddb.dita" navtitle="Working with a credentials database"/>
+<topicref href="csecnativeotherprops.dita" navtitle="NATIVE authentication and other database properties"/>
+<topicref href="csecnativemanagecreds.dita" navtitle="Managing users and passwords"/>
+<topicref href="csecnativeconvert.dita" navtitle="Converting an existing database to use NATIVE authentication"/>
+</topicref>
+<topicref href="cseccsecure21561.dita" navtitle="Specifying authentication with a user-defined class">
+<topicref href="rsecexudclass.dita" navtitle="Example of setting a user-defined class"/>
+</topicref>
+<topicref href="rseccsecure557.dita" navtitle="List of user-authentication properties"/>
+<topicref href="cseccsecure79358.dita" navtitle="Programming applications for Derby user authentication"/>
+<topicref href="rseccsecure305.dita" navtitle="Login failure exceptions with user authentication"/>
+<topicref href="csecnetservauthent.dita" navtitle="Configuring Network Server authentication in special circumstances">
+<topicref href="csecappsclientsecurity.dita" navtitle="Configuring Network Client authentication without SSL/TLS"/>
+<topicref href="csecapps49914.dita" navtitle="Configuring Network Server authentication without SSL/TLS"/>
+</topicref>
+</topicref>
+<topicref collection-type="family" href="csecauthorization.dita" navtitle="Configuring user authorization">
+<topicref collection-type="family" href="csecauthorcoarse.dita" navtitle="Configuring coarse-grained user authorization">
+<topicref href="rseccsecure190.dita" navtitle="Read-only and full access permissions"/>
+<topicref href="cseccsecure865818.dita" navtitle="Setting the default connection access mode"/>
+<topicref href="rseccsecure379.dita" navtitle="User authorization exceptions"/>
+</topicref>
+<topicref collection-type="family" href="csecauthorfine.dita" navtitle="Configuring fine-grained user authorization">
+<topicref href="cseccsecuregrantrevokeaccess.dita" navtitle="Using SQL standard authorization"/>
+<topicref href="cseccsecureprivileges.dita" navtitle="Privileges on views, triggers, constraints, and generated columns"/>
+<topicref href="cseccsecureroles.dita" navtitle="Using SQL roles"/>
+<topicref href="cseccsecuresqlauthupgrade.dita" navtitle="Upgrading an old database to use SQL standard authorization"/>
+<topicref href="rseccsecuresqlauthexceptions.dita" navtitle="SQL standard authorization exceptions"/>
+<topicref href="rseccsecurenativeauthex.dita" navtitle="NATIVE authentication and SQL authorization example"/>
+</topicref>
+</topicref>
+<topicref collection-type="family" href="csecjavasecurity.dita" navtitle="Configuring Java security">
+<topicref href="rsecnetservbasic.dita" navtitle="Basic Java security policy file"/>
+<topicref href="rsecpolicysample.dita" navtitle="Sample customized Java security policy file"/>
+<topicref href="csecrunpolicy.dita" navtitle="Using a Java security policy file"/>
+<topicref href="csecembeddedperms.dita" navtitle="Running embedded Derby with a security manager"/>
+<topicref href="tsecnetservrun.dita" navtitle="Running the Network Server with a security manager"/>
+<topicref href="tsecnetservopen.dita" navtitle="Running the Network Server without a security manager"/>
+</topicref>
+<topicref href="csecnetservfileperms.dita" navtitle="Restricting file permissions"/>
+<topicref collection-type="family" href="csecputtogether.dita" navtitle="Putting it all together">
+<topicref href="csecputstart.dita" navtitle="Starting a secured Network Server"/>
+<topicref href="csecputrun.dita" navtitle="Creating and using a secure database"/>
+<topicref href="csecputstop.dita" navtitle="Stopping the secured Network Server"/>
+</topicref>
+</topicref>
+<topicref href="rsectrademderby.dita" navtitle="Trademarks"></topicref>
+</map>

Propchange: db/derby/docs/trunk/src/security/secderby.ditamap
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message