db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@debrunners.com>
Subject Re: Server questions
Date Mon, 11 Apr 2005 16:53:14 GMT
Andrew Shuttlewood wrote:

> Firstly, is it possible to authenticate server connections differently
> from embedded connections? I wish embedded connections to have
> substantially more rights than the network connections, and be able to
> deny access to databases and restrict to read-only rights to the
> network.

Technically yes for authentication, Derby supports application defined
authentication by the application implementing a Java class
(org.apache.derby.authentication.UserAuthenticator) that implements a
Derby interface.

See

http://incubator.apache.org/derby/manuals/tuning/perf68.html#HDRSII-PROPER-13766

http://incubator.apache.org/derby/manuals/develop/develop92.html#Header_161

Also this presentation may be useful

http://incubator.apache.org/derby/binaries/djd_derby_security.pdf

A connection request from the network server will include the property
drdaID while an embedded connection will not. So you could have a Java
class that implemented UserAuthenticator, performed authentication and
based some of its decision making on the presence of the drdaID property.
[I think this is correct, you probably need to check that the drdaID
property is not present on an embedded request]

This is only for authentication, ie. can the connection request be made
to the database or not. For authorization, limiting what a authenticated
connection can do, you are maybe more limited. Derby supports limited
authorization at the moment, no access, read-only or read-write. You
could look at the scheme and see if it could handle what you need.

Dan.





Mime
View raw message