Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Received-SPF: pass (herse.apache.org: domain of francois.orsini@gmail.com
 designates 64.233.162.233 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
        b=HW/zuMQgoV9hFlJOvgI/0K1M34haojwWzn+lvDJOhRuoby2DPi7XDQgr0VAYyCz2r1vyduRe7FFtKrOJauKGl4wRYRa7dRBxrOYpjqt5ORcaT1ilPwGcyhmN61juISf1FdTeXB3O8gmpTpttTREqWcilAD2DAsvc4iGLpih01as=
Message-ID: <7921d3e40706221508k6a5164bdw1e47445e21678cc2@mail.gmail.com>
Date: Fri, 22 Jun 2007 15:08:44 -0700
From: "Francois Orsini" <francois.orsini@gmail.com>
To: derby-dev@db.apache.org
Subject: Re: NetworkServerControl shutdown w/ authentication failing?
In-Reply-To: <wjo8odj8l6lc.fsf@sun.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_166596_21160870.1182550124973"
References: <4679FC94.1070104@sun.com> <wjo8sl8llr2n.fsf@sun.com>
	 <7921d3e40706211555m37bfc588ue1533ddeaea92e78@mail.gmail.com>
	 <56a83cd00706211704i6424e9m865543402e7824f1@mail.gmail.com>
	 <wjo8odj8l6lc.fsf@sun.com>

------=_Part_166596_21160870.1182550124973
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 6/22/07, Knut Anders Hatlen <Knut.Hatlen@sun.com> wrote:
>
> David Van Couvering <david@vancouvering.com> writes:
>
> > I think "invalid authentication" is incorrect, because actually it
> > should be "this user is not authorized to shut down the database."
> > The authentication went fine, it's just they aren't authorized.  There
> > is security and there is being completely misleading.  The poor user
> > will scratch their heads, like Martin did, wondering what on earth is
> > wrong with their user and password, especially when they can log in to
> > do other things.
>
> Since the problem here is that the shutdown command in
> NetworkServerControl does not pick up the user name or the password, I
> think "invalid authentication" is correct. It tries to shut down the
> database using the default user and no password when
> derby.connection.requireAuthentication is true, hence it is not
> authenticated (whereas the default user may or may not be authorized to
> shut down the database).


Correct.

> On 6/21/07, Francois Orsini <francois.orsini@gmail.com> wrote:
> >>
> >>
> >> On 6/21/07, Knut Anders Hatlen <Knut.Hatlen@sun.com> wrote:
> >> > Martin Zaun <Martin.Zaun@Sun.COM> writes:
>
> >> > > - For better diagnostics, should the "Invalid authentication"
> message
> >> > >   tell the user name being used for authentication?
> >>
> >> We could have - this has been there for ages -  I think it was done
> >> originally for extra security ;-) One does not say anything about what
> went
> >> wrong with the credentials, one just fails to authenticate and the
> requester
> >> should know what to do to fix it (no guidance as far as what went wrong
> -
> >> other databases also do this - I remember having looked at other RDBMS
> but
> >> it was long ago).
>
> I don't think adding the user name to the error message would reduce the
> security. Sure, "User 'APP' does not exist" or "Invalid password for
> user 'APP'" would be problematic, as they would reveal whether or not a
> user existed. However, a message like "Invalid authentication for user
> 'APP'" would be OK since it doesn't say what went wrong, and it would be
> more useful since Martin (or any other user) would immediately see that
> the supplied user name had not been picked up.


Fair enough for the server (NetworkServerControl) - Yes, in this context it
is hard to find out which user has failed to authenticate. +1

--
> Knut Anders
>

------=_Part_166596_21160870.1182550124973
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br><br><div><span class="gmail_quote">On 6/22/07, <b class="gmail_sendername">Knut Anders Hatlen</b> &lt;<a href="mailto:Knut.Hatlen@sun.com">Knut.Hatlen@sun.com</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
David Van Couvering &lt;<a href="mailto:david@vancouvering.com">david@vancouvering.com</a>&gt; writes:<br><br>&gt; I think &quot;invalid authentication&quot; is incorrect, because actually it<br>&gt; should be &quot;this user is not authorized to shut down the database.&quot;
<br>&gt; The authentication went fine, it&#39;s just they aren&#39;t authorized.&nbsp;&nbsp;There<br>&gt; is security and there is being completely misleading.&nbsp;&nbsp;The poor user<br>&gt; will scratch their heads, like Martin did, wondering what on earth is
<br>&gt; wrong with their user and password, especially when they can log in to<br>&gt; do other things.<br><br>Since the problem here is that the shutdown command in<br>NetworkServerControl does not pick up the user name or the password, I
<br>think &quot;invalid authentication&quot; is correct. It tries to shut down the<br>database using the default user and no password when<br>derby.connection.requireAuthentication is true, hence it is not<br>authenticated (whereas the default user may or may not be authorized to
<br>shut down the database).</blockquote><div><br>Correct. <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">&gt; On 6/21/07, Francois Orsini &lt;
<a href="mailto:francois.orsini@gmail.com">francois.orsini@gmail.com</a>&gt; wrote:<br>&gt;&gt;<br>&gt;&gt;<br>&gt;&gt; On 6/21/07, Knut Anders Hatlen &lt;<a href="mailto:Knut.Hatlen@sun.com">Knut.Hatlen@sun.com</a>&gt; wrote:
<br>&gt;&gt; &gt; Martin Zaun &lt;<a href="mailto:Martin.Zaun@Sun.COM">Martin.Zaun@Sun.COM</a>&gt; writes:<br><br>&gt;&gt; &gt; &gt; - For better diagnostics, should the &quot;Invalid authentication&quot; message<br>&gt;&gt; &gt; &gt;&nbsp;&nbsp; tell the user name being used for authentication?
<br>&gt;&gt;<br>&gt;&gt; We could have - this has been there for ages -&nbsp;&nbsp;I think it was done<br>&gt;&gt; originally for extra security ;-) One does not say anything about what went<br>&gt;&gt; wrong with the credentials, one just fails to authenticate and the requester
<br>&gt;&gt; should know what to do to fix it (no guidance as far as what went wrong -<br>&gt;&gt; other databases also do this - I remember having looked at other RDBMS but<br>&gt;&gt; it was long ago).<br><br>I don&#39;t think adding the user name to the error message would reduce the
<br>security. Sure, &quot;User &#39;APP&#39; does not exist&quot; or &quot;Invalid password for<br>user &#39;APP&#39;&quot; would be problematic, as they would reveal whether or not a<br>user existed. However, a message like &quot;Invalid authentication for user
<br>&#39;APP&#39;&quot; would be OK since it doesn&#39;t say what went wrong, and it would be<br>more useful since Martin (or any other user) would immediately see that<br>the supplied user name had not been picked up.</blockquote>
<div><br>Fair enough for the server (NetworkServerControl) - Yes, in this context it is hard to find out which user has failed to authenticate. +1<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
--<br>Knut Anders<br></blockquote></div><br>

------=_Part_166596_21160870.1182550124973--