db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3681) When authenticating a user at connect time, verify that the user provided is not also a defined role name.
Date Thu, 22 May 2008 18:49:55 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12599117#action_12599117
] 

Dag H. Wanvik commented on DERBY-3681:
--------------------------------------

Thanks for comments, Knut! The RolesTest simplifications are nice :)

> I'm not sure that the change in DriverManagerConnector is correct. 
> Using the default user ensures that the DBO is the > same regardless
> of whether the database was created in that test or not. Not sure if this 
> matters to any of the tests, though, I just wanted to raise the issue.

Yes I did consider this, but felt it was an very weird way of creating the database and the
connection returned would be with another current user than the one requested, which seems
plain wrong to me. Anyway, I ran the regression
tests successfully, so it seems this behavior is not counted upon.

As far as checking the dictionary verision, it seems DataDictionary#checkVersion  is the one
to use. The parser uses this, too. Interestingly, if the feature supplied is non-null it throws
if the version is not new enough, if the
feature is null, it returns false...Struck me as a bit odd.

> When authenticating a user at connect time, verify that the user provided is not also
a defined role name.
> ----------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3681
>                 URL: https://issues.apache.org/jira/browse/DERBY-3681
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Security
>            Reporter: Dag H. Wanvik
>            Assignee: Dag H. Wanvik
>             Fix For: 10.5.0.0
>
>         Attachments: derby-3681-1.diff, derby-3681-1.stat
>
>
> Although we try to avoid creating role that are not also valid Derby users (see DERBY-3673),
we cannot
> in general know for sure that no such user exists; it could be added to derby.properties
after
> the role has been created, authentication could be LDAP or user-defined, in which cases
> the check at role creation time will not work. So, in order to avoid collisions between
user identifiers and role identifiers, we shoudl check at connect time that there is no role
by same name as the supplied user name.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message