db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-3673) Add checks that a new role isn't already a user authorization id
Date Thu, 22 May 2008 00:01:56 GMT

     [ https://issues.apache.org/jira/browse/DERBY-3673?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Dag H. Wanvik updated DERBY-3673:

    Attachment: derby-3673-3.diff

A small corner case fix which escapes " inside a quoted identifer in 
Tested manually since this code path is hard to reach in the regression tests
(to reach it requires a user defined as a JVM property + default security manager).

   java '-Dderby.user."f""OO"=foo' org.apache.derby.drda.NetworkServerControl start

and then trying to do:

   create role "f""OO";


  ERROR X0Y68: User 'f"OO' already exists.

> Add checks that a new role isn't already a user authorization id
> ----------------------------------------------------------------
>                 Key: DERBY-3673
>                 URL: https://issues.apache.org/jira/browse/DERBY-3673
>             Project: Derby
>          Issue Type: Sub-task
>            Reporter: Dag H. Wanvik
>            Assignee: Dag H. Wanvik
>             Fix For:
>         Attachments: derby-3673-1.diff, derby-3673-1.diff, derby-3673-1.stat, derby-3673-2.diff,
derby-3673-2.stat, derby-3673-3.diff, derby-3673-3a-javadoc_fixes.diff
> Derby current does not have dictionary information about legal users.
> Authentication is configurable as being derby internal, LDAP based, or
> user supplied.
> SQL specifies that user ids and role names go in the same namespace
> (authorization ids).  Therefore, at role creation time, a new role
> name should be checked against legal users for this database, and be
> defined if there is already a user id by that name.
> Unfortunately, since there is currently no reliable dictionary
> information about legal users, the best we can do presently is perform
> heuristic checks that a proposed role id is not already a user id.
> Since the check can not not reliable, we should also add a check to
> prohibit conncting with a user id that is a known role id.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message