db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-4483) Provide a way to change the hash algorithm used by BUILTIN authentication
Date Mon, 08 Mar 2010 12:47:27 GMT

    [ https://issues.apache.org/jira/browse/DERBY-4483?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12842642#action_12842642
] 

Knut Anders Hatlen commented on DERBY-4483:
-------------------------------------------

Thanks for looking at the patch and providing these useful comments
and suggestions, Rick! I've added my responses below.

> o Thanks for the extensive write-up explaining how the new code
>   works. It would be helpful if that writeup were included in a
>   header comment somewhere.

That's a good suggestion. Will do that.

> o I did not understand why the prefixes 3b60 and 3b61 were chosen to
>   flag authentication schemes. Since you have been in there and
>   probably understand why those strings are used rather than some
>   other strings, it would be helpful if you could record that
>   reasoning in a comment.

I'm afraid I have no idea where the prefix 3b60 comes from. I
generated 3b61 just by adding 1 to the first prefix. The only
requirement, as far as I can see, is that the prefixes must be
unique. I'll add a comment saying that.

> o The symbol name ID_PATTERN_NEW_SCHEME suggests that there is an
>   even older scheme which might still be used in really old
>   databases. Is that possible? If so, does
>   BasicAuthenticationServiceImpl.encryptPasswordUsingStoredAlgorithm()
>   need to handle another case? If not, it would be less confusing if
>   this symbol were renamed so that it did not suggest an impossibile
>   situation to unwary readers like me.

There is no other scheme that must be handled in the current code. The
naming is probably a remnant from an old Cloudscape release which
contained another ("old") authentication scheme. I think I'll go ahead
with the suggestion from the writeup and rename the "new
authentication scheme" to "SHA-1 authentication scheme" and update
symbol names accordingly.

> o If AuthenticationServiceBase.encryptPassword() really is only used
>   by the newly introduced configurable scheme, it would be helpful
>   if the name of this method indicated that.

There are two encryptPassword() methods with different signatures in
that class; one for the the existing scheme and one for the
configurable scheme. Adding the name of the scheme to those methods
sounds like a good suggestion.

> o I agree that it would be good to add a more specific error message
>   in that method.

Will do that.

> Provide a way to change the hash algorithm used by BUILTIN authentication
> -------------------------------------------------------------------------
>
>                 Key: DERBY-4483
>                 URL: https://issues.apache.org/jira/browse/DERBY-4483
>             Project: Derby
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions: 10.5.3.0
>            Reporter: Knut Anders Hatlen
>            Assignee: Knut Anders Hatlen
>            Priority: Minor
>         Attachments: experiment.diff, upgrade-test.diff
>
>
> The BUILTIN authentication scheme protects the passwords by hashing them with the SHA-1
algorithm. It would be nice to have way to specify a different algorithm so that users can
take advantage of new, stronger algorithms provided by their JCE provider if so desired.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message