db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: no protection of db boot - intended?
Date Tue, 27 Feb 2007 16:57:57 GMT
Dag H. Wanvik wrote:
> Working on DERBY-2264, I notice (again) that booting a database is not
> protected in any way.  Currently, even when authentication
> (derby.connection.requireAuthentication) is turned on, any user can
> leave the database in a booted state: If not already booted, the
> database potentially needs to be booted to authenticate. However, if
> authentication fails, the database is not shut down again. Thus, an
> invalid user is allowed to change the database state. I think this is
> somewhat surprising for an end user. Is there a reason for this
> behavior? If not, I will file a JIRA for fixing it.
>
> Thanks,
> Dag
>   
Hi Dag,

This sounds akin to a denial-of-service attack. I agree that it deserves 
its own JIRA.

Regards,
-Rick

Mime
View raw message