db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew McIntyre" <mcintyr...@gmail.com>
Subject Re: broken network startup scripts
Date Mon, 26 Feb 2007 19:53:24 GMT
On 2/26/07, Rick Hillegas <Richard.Hillegas@sun.com> wrote:
> The network startup scripts are broken now, as a result of the work I am
> doing on DERBY-2196. We decided that, to avoid giving customers a false
> sense of security, the secure-by-default server should fail to come up
> if the customer does not specify how they want to authenticate users.
> Now when you run the network startup script, the script fails fast,
> telling you that you have to specify an authentication scheme.
>
> How should we handle this?
>
> 1) Make the out-of-the-box server come up with Builtin authentication
> and one distinguished user if authentication is otherwise not specified.
> This distinguished system administrator would have a canonical name and
> password.
>
> 2) Revisit our decision to require authentication. Instead, let the
> server come up installing a security manager even though the customer
> has not specified any authentication scheme.
>
> 3) Add the -noSecurityManager option to the server boot command.

If the goal is backward compaibility, then (3) provides just that: the
behavior of the previous version, but probably deserves at least
printing a warning. Since user authentication and installing a
security manager are not directly related, (2) is certainly doable,
but from the secure-out-of-the box standpoint, it does not provide a
secure environment, since anyone could connect to the server and
manipulate any database resource. (1) seems like it would have some
complicated issues to resolve: for example, to be really secure the
user needs to have a way to remove this default user in such a way
that just running the network server again does not bring it back,
even if the system home is not set to the same location or you've
moved the database and server to a different machine. How do you do
that?

There's also 4: leave it as-is and force the user to think about the
security of their network server. They can still provide the
-noSecurityManager option as an argument to the script if they just
want to get the server started. I'm leaning in that direction at the
moment.

andrew

Mime
View raw message