db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Re: no protection of db boot - intended?
Date Tue, 27 Feb 2007 18:27:44 GMT
Dag H. Wanvik wrote:
> Working on DERBY-2264, I notice (again) that booting a database is not
> protected in any way.  Currently, even when authentication
> (derby.connection.requireAuthentication) is turned on, any user can
> leave the database in a booted state: If not already booted, the
> database potentially needs to be booted to authenticate. However, if
> authentication fails, the database is not shut down again. Thus, an
> invalid user is allowed to change the database state. I think this is
> somewhat surprising for an end user. Is there a reason for this
> behavior? If not, I will file a JIRA for fixing it.

Not sure there's a reason for the behaviour, but I'm not sure the fix is 
obvious.

1) If a boot with failed authentication shuts the database down, then at 
least it has to ensure that no valid user has connected to it since it 
was booted.

2) Having such a request shutdown the database might actually increase 
the potential of a denial of service attack. More work would be 
performed for an invalid request, thus consuming more cpu time on the 
machine.

3) Which "end-user" do you mean above? A remote user can't tell that the 
database was booted or not so it's not surprising to them. :-)

Dan.


Mime
View raw message