db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Can Derby authentication be used securely?
Date Tue, 11 Dec 2007 16:25:26 GMT
I am trying to figure out how Derby BUILTIN and LDAP authentication can 
be used without storing a master password in plaintext. I would 
appreciate the community's advice.

1) With BUILTIN authentication, there is no encrypted storage for 
server-wide credentials. E.g., the credentials needed to authenticate 
and bring down the Derby engine. I think that these credentials must be 
supplied in plaintext either in derby.properties or in the script which 
starts the server.

2) With LDAP authentication, I think that the master LDAP password 
(derby.authentication.ldap.searchAuthPW must be stored in plaintext the 
same way.

Am I confused? Is there a recommended workaround for this vulnerability?

Thanks,
-Rick

Mime
View raw message