db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Embretsen <John.Embret...@Sun.COM>
Subject JMX Access Control Proposal
Date Thu, 21 Feb 2008 17:16:17 GMT
Related to DERBY-1387, there is an access control proposal on the wiki at


The proposal is also related to a previous E-mail thread with the subject "JMX
meeting system authorization (DERBY-2109 & 1387)",

I'm starting a new thread here so that we don't deviate too much from "the
Apache way" on the wiki...

1) I noticed that Derby connection authorization (db-authr) is not mentioned in
the proposal. Does this mean that this will be ignored, at least for JMX actions
that do not rely on obtaining a regular JDBC connection to the database from the

2) I'm curious about how this proposal relates to Derby authentication?
I'm still a bit puzzled here, I guess. On the wiki we have noted elsewhere
(regarding database MBeans):

>>>> JHE: If any of *-authc are enabled, the JMX user must pass all 
authentication checks (jmx-authc, derby-authc, db-authc) that are enabled for
this type of access (connecting to this particular database using this
particular Derby system).

>>>  DJD: Why is derby-authc included here, to connect to a database 
derby-authc is not required, so why to administer it?

>> JHE: Isn't passing derby-authc required if it has been enabled 
programmatically, unless derby.database.propertiesOnly=true?

>  DJD: No, to connect to a database only database authentication is needed. 

('db-authc' is defined on the wiki page as "The database-wide property
derby.connection.requireAuthentication is true". 'derby-authc' is the same
property, but system-wide)

My experiments with the client driver and the network server indicate that if
derby.connection.requireAuthentication is enabled programmatically as a system
property, and disabled as a database property, and the
derby.database.propertiesOnly property has not been set, then passing
system-level authentication is required in order to obtain a client connection.
Am I misunderstanding something?


View raw message