db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3014) Make SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<username>') return NULL instead of the hash value of the password
Date Thu, 14 Feb 2008 17:05:09 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569000#action_12569000
] 

Daniel John Debrunner commented on DERBY-3014:
----------------------------------------------

In the patch this code:

 key.substring(0,11).equals("derby.user.")

is really does the key start with "derby.user." Java's String class already has a method that
implements this, 'startsWith'

thus the code can be simplified to

  key.startsWith("derby.user.")

With Java it's good to read the javadoc of any classes you are using, typically any functionality
you need already exists.

Then software projects usually have defined constants for any literals they need (e.g. Strings
and ints). This has several benefits, changing the value of the constant requires change in
one place, a defined constant provides more information that just the literal (e..g READ_COMMITTED
instead of 2) when used,  finding out which code depends on the constant can be a search on
the defined constant   instead of the value. Imagine trying to find all code that depended
on the literal 2 when 2 might represent different concepts in different contexts, searching
for READ_COMMITTED is much easier.

So in the class org.apache.derby.iapi.reference.Property a defined constant already exist:
USER_PROPERTY_PREFIX which then changes the code to:
   
key.startsWith(Property.USER_PROPERTY_PREFIX )

There are a couple of ways to find such constants:
  - search through the code and thus gain some more understanding of the code
  - ask a question on derby-dev, folks will be happy to point others in the right direction
 
   



> Make SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<username>')  return NULL
instead of the hash value of the password
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3014
>                 URL: https://issues.apache.org/jira/browse/DERBY-3014
>             Project: Derby
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Daniel John Debrunner
>            Assignee: R VIDYA LAKSHMI
>         Attachments: DERBY-3014.diff
>
>
> Increases security by providing less information to any attacker. The current returned
hash value could be used in an off-line dictionary based attack to find a valid password.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message