db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lily Wei (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3532) Invalid & possibly skipped authentication handling when shutting down the network server.
Date Thu, 06 Aug 2009 00:23:14 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12739839#action_12739839
] 

Lily Wei commented on DERBY-3532:
---------------------------------

I am hesitating to decide having lightweight check in network server for each client request
to see if the embedded engine is running. If there is any good suggestion, I will be happy
to try.
I am trying to fix the test problem in junit regarding when network service server is shutting
down it is using an embedded data source. First try, I change DriverManagerConnector.shutEngine
and hope to shutengine with network server URL instead of embedded URL. However, if I use
jdbcclient.getUrlBase(), I will get error like:
Caused by: org.apache.derby.client.am.SqlException: The URL 'jdbc:derby://localhost:1527/'
is not properly formed.
Second try, If I take out the extra "/" from JDBCClient.DERBYNETCLIENT, I will get error:
Caused by: java.sql.SQLException: Database '/localhost:1527/' not found.
Is there any particular reason we put comment "Always shutsdown using the embedded URL thus
this method will not work in a remote testing environment." in DriverManagerConnector.shutEngine()?"
I think the writer is reading my mind now. I am open to any suggestion.


> Invalid & possibly skipped  authentication handling when shutting down the network
server.
> ------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3532
>                 URL: https://issues.apache.org/jira/browse/DERBY-3532
>             Project: Derby
>          Issue Type: Bug
>          Components: Network Server
>    Affects Versions: 10.4.1.3, 10.5.1.1
>            Reporter: Daniel John Debrunner
>            Priority: Critical
>         Attachments: ReproDerby3532.java, ReproDerby3532.java
>
>
> In NetworkServerControlImpl.checkShutdownPrivileges() code fetches the internal authentication
service to perform user authentication.
> However if no such authentication service is found (null is returned) then authentication
is bypassed, this has the potential of being a security hole.
> The discussion in DERBY-2109 indicated that even with authentication NONE, there is still
an internal authentication service, thus null is not a valid return when getting the internal
authentication service. A secure fail safe system would be to not bypass authentication if
null is returned.
> I tried removing the check for null in the method and that lead to NullPointerExceptions.
This means that something wrong is going on and very possibly no authentication checks are
actually being made when shutting down the network server.
> The null return might be due to checking the authentication after Derby has been shutdown.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message