db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Embretsen <John.Embret...@Sun.COM>
Subject Re: Can Derby authentication be used securely?
Date Wed, 12 Dec 2007 15:33:34 GMT
Rick Hillegas wrote:
> I am trying to figure out how Derby BUILTIN and LDAP authentication can 
> be used without storing a master password in plaintext. I would 
> appreciate the community's advice.
> 
> 1) With BUILTIN authentication, there is no encrypted storage for 
> server-wide credentials. E.g., the credentials needed to authenticate 
> and bring down the Derby engine. I think that these credentials must be 
> supplied in plaintext either in derby.properties or in the script which 
> starts the server.

I think this is true, and it's a pity. It's a classical problem, though, see 
e.g. [1]. It helps setting the file permissions so that derby.properties is 
readable only by the user running the Network Server, but you would have to rely 
on additional layers of security as well.

> Is there a recommended workaround for this vulnerability?

Not sure... Use a different (non-BUILTIN) authentication provider?


[1]: http://www.perlmonks.org/?node_id=441605

-- 
John


Mime
View raw message