Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 42711 invoked from network); 7 Nov 2007 22:52:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 7 Nov 2007 22:52:12 -0000 Received: (qmail 46286 invoked by uid 500); 7 Nov 2007 22:52:00 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 46075 invoked by uid 500); 7 Nov 2007 22:51:59 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 46066 invoked by uid 99); 7 Nov 2007 22:51:59 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Nov 2007 14:51:59 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of david.vancouvering@gmail.com designates 64.233.166.178 as permitted sender) Received: from [64.233.166.178] (HELO py-out-1112.google.com) (64.233.166.178) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 07 Nov 2007 22:52:03 +0000 Received: by py-out-1112.google.com with SMTP id p76so4857439pyb for ; Wed, 07 Nov 2007 14:51:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=NXJPe3rJZNm7KKHH1ql9c8h3yJow3oDNT/XXNlCV/kk=; b=Dou4+GIHriX4emFqAhRhtUO/HyssaTjt912VwV9LkE1mvc3nA4fFTgN5eoDEE6Seq5+2bOh2gfwT2aHYRiC8XOvZvXyZOSS30l+VpuyxxlcmM333HuhVmxbwvlwHSxOelwIbssNShn04IN35v/VrLmXYdUd2lxlOckaObRBEAsw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=E/dnXjk9/ckUP/OICTMr/VNLTWkIda571QLziSm3DMMxXUmFUcntLQQcOLC90BX/w7gDo3E6ystrz7iMAXNBOzLssjWS7IS0K6dVhPpct1Zr/s22OLd2/q0fnUHuidBbClhoS26nQAcDhdD9PruHcpFT/4/lbef8J1f8Qb1NANk= Received: by 10.65.216.19 with SMTP id t19mr2459130qbq.1194475902264; Wed, 07 Nov 2007 14:51:42 -0800 (PST) Received: by 10.64.193.5 with HTTP; Wed, 7 Nov 2007 14:51:42 -0800 (PST) Message-ID: <56a83cd00711071451q47556f2bk2cac2d8d0dad92af@mail.gmail.com> Date: Wed, 7 Nov 2007 17:51:42 -0500 From: "David Van Couvering" Sender: david.vancouvering@gmail.com To: derby-dev@db.apache.org Subject: Re: Installing a SecurityManager by default when the server boots In-Reply-To: <47320BAE.60609@sun.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <47320BAE.60609@sun.com> X-Google-Sender-Auth: f1cc05216337d6d5 X-Virus-Checked: Checked by ClamAV on apache.org IMHO, if we are breaking a lot of existing applications, then it was not a compatible change, and needs to be turned off. I understand the value of "secure by default' but I think this has to be balanced against the value of Derby as a very quickly easy to use and run database which makes it a favorite of developers. If it becomes too security-heavy it loses one of its key value propositions. Those who want to deploy in production and are worried about security, we should make it very easy to turn on the security manager, e.g. with a single flag in the network server startup command. David On Nov 7, 2007 2:02 PM, Rick Hillegas wrote: > As of release 10.3, when you boot the network server from the command > line, the server installs a Java SecurityManager with a default policy. > This change (DERBY-2196) limits the ability of hackers, connecting from > arbitrary machines, to use Derby to corrupt the environment in which it > is running. In addition, this change provides a foundation on which we > can add more security features incrementally. As a result of this > change, we have learned more about how Derby behaves when run under a > SecurityManager--that in turn, has helped us discover more permissions > which we need to add to the template used as a starting point for > configuring a Derby security policy. > > Unfortunately, this change has proved painful to some users. See, for > instance, DERBY-3086 and the ongoing discussion on DERBY-3083. > > Now that we have some experience with the 10.3 release, I would like to > ask the community to review the wisdom of this change. Do we still think > that this is the correct default behavior? Or should we consider turning > off this feature in the upcoming 10.3 maintenance release? > > Thanks, > -Rick >