db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-4483) Provide a way to change the hash algorithm used by BUILTIN authentication
Date Mon, 08 Mar 2010 12:47:27 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842642#action_12842642

Knut Anders Hatlen commented on DERBY-4483:

Thanks for looking at the patch and providing these useful comments
and suggestions, Rick! I've added my responses below.

> o Thanks for the extensive write-up explaining how the new code
>   works. It would be helpful if that writeup were included in a
>   header comment somewhere.

That's a good suggestion. Will do that.

> o I did not understand why the prefixes 3b60 and 3b61 were chosen to
>   flag authentication schemes. Since you have been in there and
>   probably understand why those strings are used rather than some
>   other strings, it would be helpful if you could record that
>   reasoning in a comment.

I'm afraid I have no idea where the prefix 3b60 comes from. I
generated 3b61 just by adding 1 to the first prefix. The only
requirement, as far as I can see, is that the prefixes must be
unique. I'll add a comment saying that.

> o The symbol name ID_PATTERN_NEW_SCHEME suggests that there is an
>   even older scheme which might still be used in really old
>   databases. Is that possible? If so, does
>   BasicAuthenticationServiceImpl.encryptPasswordUsingStoredAlgorithm()
>   need to handle another case? If not, it would be less confusing if
>   this symbol were renamed so that it did not suggest an impossibile
>   situation to unwary readers like me.

There is no other scheme that must be handled in the current code. The
naming is probably a remnant from an old Cloudscape release which
contained another ("old") authentication scheme. I think I'll go ahead
with the suggestion from the writeup and rename the "new
authentication scheme" to "SHA-1 authentication scheme" and update
symbol names accordingly.

> o If AuthenticationServiceBase.encryptPassword() really is only used
>   by the newly introduced configurable scheme, it would be helpful
>   if the name of this method indicated that.

There are two encryptPassword() methods with different signatures in
that class; one for the the existing scheme and one for the
configurable scheme. Adding the name of the scheme to those methods
sounds like a good suggestion.

> o I agree that it would be good to add a more specific error message
>   in that method.

Will do that.

> Provide a way to change the hash algorithm used by BUILTIN authentication
> -------------------------------------------------------------------------
>                 Key: DERBY-4483
>                 URL: https://issues.apache.org/jira/browse/DERBY-4483
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions:
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>         Attachments: experiment.diff, upgrade-test.diff
> The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1
algorithm. It would be nice to have way to specify a different algorithm so that users can
take advantage of new, stronger algorithms provided by their JCE provider if so desired.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message