db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jean T. Anderson" <...@bristowhill.com>
Subject Re: [generic question] derby and password
Date Tue, 15 Nov 2005 17:37:57 GMT
Xavier Vigouroux wrote:
> Hi
> In my project, I create a database that is access afterwards.
> at creation, I would like to "secure" the access.
> as a dummy question, what is the usual way to secure an access to the DB
> whereas the user is never in the loop. All must be done programmatically?

This isn't a dumb question at all -- it's an excellent question for 
Derby because you don't find derby databases in the typical place behind 
a locked door.

Derby has a bunch of strategies. Here's a quick overview to help you 
decide which one might be right for your application.

*Authentication* restricts access to a database (or all databases in a 
system) given a userid and password. Here's an into to authentication: 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure42374.html .

*Authorization* restricts access to objects in a database -- without a 
user in the loop, you might not need this, but here's info on it: 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure36595.html . 
Also, DERBY-464 adds grant/revoke, but isn't implemented yet.

*Encryption* lets you secure the physical database files -- it encrypts 
all the data in tables, indexes, temporary files, the transaction log. 
It's great for protecting databases on devices that can't be secured. 
Information is here: 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure24366.html .

You can also run your application under a Java 2 Security Manager, which 
is especially useful for when you want to allow remote client access 
using the Derby Network Server. Information is here: 
http://db.apache.org/derby/docs/dev/devguide/cdevcbabejdfj.html . 
However, be aware that the sample policy files aren't quite right 
(DERBY-701), so if you run into any problems, feel free to ask for help.

Dan Debrunner did a "Securing Data with Apache Derby" at ApacheCon US 
2004; you can download his presentation from 
http://db.apache.org/derby/papers/ApacheConUs04.html .

I'll be doing a "Apache Derby Security" presentation at ApacheCon US in 
December -- shameless plug.  :-) I'm hoping to see lots of users there.



ps. There's also a developerWorks tutorial that shows how to work with 
derby and signed jar files, but I haven't had time to look at it yet: 

View raw message