Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Date: Mon, 14 May 2012 11:13:28 +0000 (UTC)
From: "Knut Anders Hatlen (JIRA)" <jira@apache.org>
To: derby-dev@db.apache.org
Message-ID: 
 <770899119.60965.1336994019210.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <2070737054.55394.1336759368407.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (DERBY-5762) Consider storing a normalized
 authorization id in SYS.SYSUSERS in order to make NATIVE procedures follow
 the same casing conventions for usernames which we use on connection urls
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/DERBY-5762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13274554#comment-13274554 ] 

Knut Anders Hatlen commented on DERBY-5762:
-------------------------------------------

Looks good to me too. Thanks, Rick!
                
> Consider storing a normalized authorization id in SYS.SYSUSERS in order to make NATIVE procedures follow the same casing conventions for usernames which we use on connection urls
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-5762
>                 URL: https://issues.apache.org/jira/browse/DERBY-5762
>             Project: Derby
>          Issue Type: Improvement
>    Affects Versions: 10.9.0.0
>            Reporter: Rick Hillegas
>         Attachments: derby-5762-01-aa-normalizeNativeProcArg.diff, derby-5762.sql
>
>
> Right now if you want to connect with a lowercase authorization id, you need to double-quote it:
>   connect 'jdbc:derby:db;user="dbo";password=dbo_password';
> But you don't use double-quotes when creating NATIVE credentials for that user:
>   call syscs_util.syscs_create_user( 'dbo', 'dbo_password' );
> I will attach a proof-of-concept patch which causes the NATIVE procedures to normalize USERNAME arguments before using them to key into SYS.SYSUSERS. This preserves the following feature of the current implementation:
> 1) Only one set of NATIVE credentials can be stored for a given authorization id. Note that this differs from the behavior of other authentication schemes. The other authentication schemes let you store a set of credentials for every upper/lower-case permutation of the authorization id. To me , this seems like a big security hole in those other authentication schemes.
> In addition, the proof-of-concept patch has the following behavior:
> 2) You connect with the same username string which you use when calling syscs_util.syscs_create_user.
> If this seems like the right casing behavior, I will write some tests and check this in.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira