Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 20150 invoked from network); 29 Feb 2008 05:15:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 29 Feb 2008 05:15:55 -0000 Received: (qmail 71874 invoked by uid 500); 29 Feb 2008 05:15:47 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 71832 invoked by uid 500); 29 Feb 2008 05:15:47 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 71634 invoked by uid 99); 29 Feb 2008 05:15:47 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 28 Feb 2008 21:15:46 -0800 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Feb 2008 05:15:08 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 7B2A9234C043 for ; Thu, 28 Feb 2008 21:14:51 -0800 (PST) Message-ID: <256634530.1204262091503.JavaMail.jira@brutus> Date: Thu, 28 Feb 2008 21:14:51 -0800 (PST) From: "Daniel John Debrunner (JIRA)" To: derby-dev@db.apache.org Subject: [jira] Commented: (DERBY-3477) Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context. In-Reply-To: <1057691184.1204142991090.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573594#action_12573594 ] Daniel John Debrunner commented on DERBY-3477: ---------------------------------------------- I think this work-around in the current format permission handling introduces a security hole: + principals.add(new SystemPrincipal(user)); + principals.add(new SystemPrincipal(getAuthorizationId(user))); This jumps out as wrong to me as SystemPrincipal is being passed a user names in two forms, one in a string form that corresponds to a SQL identifier format (including support for delimited identifiers), the other in a common-normal-form. Any time one passes different concepts to the same code it's a recipe for bugs. Say the user name is a delimited identifier, user="fred", e.g. in a java program the URL might look like: String url = "jdbc:derby:db;user=\"fred\";password=8dkkw"; then the common form of the name is fred. Then the Subject has two SystemPrincipals "fred" and fred. Now a grant in the policy file of grant principal org.apache.derby.authentication.SystemPrincipal "fred"; will successfully grant the permission to this user. Though the intention is that the permission is granted to the authentication id that has FRED as its cnf. Now lets see what happens is the user=fred, ie. String url = "jdbc:derby:db;user=fred;password=de7343"; thus it has a cnf of FRED. Thus the subject has two SystemPrincipals, fred and FRED Now that previous grant also works for this user. Thus a single grant that was intended for a single user actually satisfies two users, that's a security hole. > Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context. > ----------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: DERBY-3477 > URL: https://issues.apache.org/jira/browse/DERBY-3477 > Project: Derby > Issue Type: Sub-task > Components: Security > Reporter: Daniel John Debrunner > > Expected format described in: > https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537 > Comments in DERBY--2109 around patch 10 indicate some issue around implementing this, it would be good to see the code that attempted to implement it to help figure out the problem. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.