db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-857) LDAP user authentication fails under a security manager
Date Tue, 16 Oct 2007 23:10:51 GMT

    [ https://issues.apache.org/jira/browse/DERBY-857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12535368
] 

Kathey Marsden commented on DERBY-857:
--------------------------------------

Well, putting the tracing in a priv block gets me further but there are still permission problems.
2007-10-16 21:49:44.968 GMT Thread[main,5,main] Cleanup action starting

java.sql.SQLException: Connection refused : javax.naming.CommunicationException: socket.usca.ibm.com:389
[Root exception is java.security.AccessControlException: access denied (java.net.SocketPermission
socket.usca.ibm.com resolve)]

	at org.apache.derby.impl.jdbc.authentication.JNDIAuthenticationSchemeBase.getLoginSQLException(JNDIAuthenticationSchemeBase.java:122)

	at org.apache.derby.impl.jdbc.authentication.LDAPAuthenticationSchemeImpl.authenticateUser(LDAPAuthenticationSchemeImpl.java:196)

	at org.apache.derby.impl.jdbc.authentication.AuthenticationServiceBase.authenticate(AuthenticationServiceBase.java:222)

	at org.apache.derby.impl.jdbc.EmbedConnection.checkUserCredentials(EmbedConnection.java:583)

	at org.apache.derby.impl.jdbc.EmbedConnection.<init>(EmbedConnection.java:301)

	at org.apache.derby.impl.jdbc.EmbedConnection30.<init>(EmbedConnection30.java:73)

	at org.apache.derby.impl.jdbc.EmbedConnection40.<init>(EmbedConnection40.java:54)

	at org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Driver40.java:68)

	at org.apache.derby.jdbc.InternalDriver.connect(InternalDriver.java:211)

	at org.apache.derby.jdbc.AutoloadedDriver.connect(AutoloadedDriver.java:119)

	at java.sql.DriverManager.getConnection(DriverManager.java:582)

	at java.sql.DriverManager.getConnection(DriverManager.java:154)

	at org.apache.derby.impl.tools.ij.ij.dynamicConnection(ij.java:1206)

	at org.apache.derby.impl.tools.ij.ij.ConnectStatement(ij.java:1056)

	at org.apache.derby.impl.tools.ij.ij.ijStatement(ij.java:884)

	at org.apache.derby.impl.tools.ij.utilMain.runScriptGuts(utilMain.java:328)

	at org.apache.derby.impl.tools.ij.utilMain.go(utilMain.java:248)

	at org.apache.derby.impl.tools.ij.Main.go(Main.java:215)

	at org.apache.derby.impl.tools.ij.Main.mainCore(Main.java:181)

	at org.apache.derby.impl.tools.ij.Main.main(Main.java:73)

	at org.apache.derby.tools.ij.main(ij.java:59)

Cleanup action completed

The code that generates the exception is not a socket call directly but rather
			env.put(Context.SECURITY_PRINCIPAL, userDN);
			env.put(Context.SECURITY_CREDENTIALS, userPassword);
			
			// Connect & authenticate (bind) to the LDAP server now

			// it is happening right here
			DirContext ctx = new InitialDirContext(env);

Wrapping this code in a priv block does no good because it is the root exception which is
not exposed that is the problem.
I'm not sure which jar to give the permission to.


grant {
  permission java.net.SocketPermission "*", "connect,resolve";
};

works, but is more liberal than we want I think.


> LDAP user authentication fails under a security manager
> -------------------------------------------------------
>
>                 Key: DERBY-857
>                 URL: https://issues.apache.org/jira/browse/DERBY-857
>             Project: Derby
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.2.1.6
>            Reporter: Daniel John Debrunner
>            Assignee: Kathey Marsden
>
> Running the test jdbcapi/secureUsers1.sql with a security manager results in:
> > ERROR 08004: Connection refused : javax.naming.CommunicationException: noSuchMachine:389
[Root exception is java.security.AccessControlException: access denied (java.net.SocketPermission
noSuchMachine resolve)]
> Adding this permission to the policy file has no effect. which means a priv block is
required around the LDAP call.
> permission java.net.SocketPermission "noSuchMachine", "resolve";

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message