Rick Hillegas wrote:
> I am trying to figure out how Derby BUILTIN and LDAP authentication can
> be used without storing a master password in plaintext. I would
> appreciate the community's advice.
>
> 1) With BUILTIN authentication, there is no encrypted storage for
> server-wide credentials. E.g., the credentials needed to authenticate
> and bring down the Derby engine. I think that these credentials must be
> supplied in plaintext either in derby.properties or in the script which
> starts the server.
I think this is true, and it's a pity. It's a classical problem, though, see
e.g. [1]. It helps setting the file permissions so that derby.properties is
readable only by the user running the Network Server, but you would have to rely
on additional layers of security as well.
> Is there a recommended workaround for this vulnerability?
Not sure... Use a different (non-BUILTIN) authentication provider?
[1]: http://www.perlmonks.org/?node_id=441605
--
John
|