db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Francois Orsini (JIRA)" <derby-...@db.apache.org>
Subject [jira] Commented: (DERBY-224) System versus Database authentication conflict
Date Fri, 05 Aug 2005 02:02:35 GMT
    [ http://issues.apache.org/jira/browse/DERBY-224?page=comments#action_12317734 ] 

Francois Orsini commented on DERBY-224:
---------------------------------------

Yes this is expected as for the basic (aka built-in) authentication:

- Users can be created at the System or Database level

- If derby.database.propertiesOnly is set to true, then in this case only users defined as
database properties for the current database will be considered (not even system-defined ones)

- Users defined at the database level take precedence over the ones at system level

- Same username can be created at System and Database level with different password

So, I'm going to close this JIRA issue as it works as intended - if we want the behavior to
be changed, then I suggest to open a new JIRA for a feature request.

Derby authentication allows different and new authentication schemes to be plugged - a new
authentication scheme could be created to fullfil different behavior(s) if wanted to.

> System versus Database authentication conflict
> ----------------------------------------------
>
>          Key: DERBY-224
>          URL: http://issues.apache.org/jira/browse/DERBY-224
>      Project: Derby
>         Type: Improvement
>   Components: Security
>     Versions: 10.0.2.0
>  Environment: Windows XP Professional SP1
>     Reporter: George Baklarz

>
> As a system user (authentication enabled at the system level), it is possible for someone
registered at the database level to prevent me from accessing it (this was done with BUILTIN
authentication).
> This occurs because of a conflict between two identical userids. If I create a system
user (sa) with a password of "Derby" and a user at the database level is created with a userid
of sa with a password of "Apache", this user will take precedence on the connect command to
the database. 
> So there are really two problems here. 
> (1) Duplicate userids are allowed between system level users and database users
> (2) Database userids take precedence over system users.
> This may be working as designed, but it surpised me when I couldn't connect to the database
because of an incorrect password. I would have liked the system userid to connect to all databases
even if a local database userid was present.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message