db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Francois Orsini" <francois.ors...@gmail.com>
Subject Re: Security in Derby
Date Tue, 20 Feb 2007 23:26:21 GMT
To add on Andrew's excellent info:

You can also configure the Derby network server to only accept connections
with secure authentication, by setting the
derby.drda.securityMechanismserver property.

http://db.apache.org/derby/docs/dev/adminguide/adminguide-single.html#tadminconfigsettingnetwrokserverproperties
derby.drda.securityMechanism=STRONG_PASSWORD_SUBSTITUTE_SECURITY

Strong (network) password authentication works for the IBM and SUN JVMs.

Yes, the documentation is lacking examples of securityMechanism being set on
the connection URL

--francois

On 2/20/07, Alexander Trauzzi <atrauzzi@gmail.com> wrote:
>
> This is all very helpful.  I will make a few notes however that you can
> take away from this...
>
> The method to implement encrypted passwords is far too complicated and
> involved for someone like myself who just wants to set up a secure server.
> This is mainly because nothing is said about what has to be done client
> side to ensure that the password being transmitted is what the server will
> end up wanting.  Does the derby client network driver automatically encrypt
> passwords once the property is placed in the connection string?
>
> It seems like there is a glut of property settings being used here on both
> client and server side and my wires are getting crossed trying to keep them
> straight.  Ultimately this is impacting how easy it is to configure a derby
> server.  Perhaps is there an index of connection string and server
> properties somewhere?
>
> How do I distinguish when a setting is for a database, or the system?
>
> Do properties that I set via a configuration file get retained between
> loads - as in, is it a needed only once thing?  Can I delete the file and
> still have it's settings taking effect on a database between loads?  Entire
> DB instance?
>
> - Alexander Trauzzi
>
> On 2/20/07, Andrew McIntyre < mcintyre.a@gmail.com> wrote:
> >
> > On 2/20/07, Alexander Trauzzi < atrauzzi@gmail.com> wrote:
> > > Awesome, I'm glad I can collect all these hidden links, but the issue
> > of per
> > > user authentication, similar to what MySQL and other databases offer
> > is
> > > still blocking me.
> >
> > Perhaps the issue here is that the information you are looking for is
> > not in the Server and Administration guide, but in the Developer's
> > guide?
> >
> > Have you read through the "Derby and Security" section here:
> >
> > http://db.apache.org/derby/docs/10.2/devguide/
> >
> > Specifically, to use Derby's built-in user authentication and create
> > the users and passwords for a database:
> >
> > http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure42374.html
> > http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure21547.html
> > http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure864642.html
> >
> > e.g., to create a user 'andrew' with password of 'newderbyuser' you
> > can call, in ij:
> >
> > CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(
> >     'derby.user.andrew', 'newderbyuser')
> >
> > Then to enable the builtin authentication, you need to start the
> > database with the following properties set:
> >
> > derby.connection.requireAuthentication=true
> > derby.authentication.provider=BUILTIN
> >
> > You can set these properties at the database level by calling the set
> > database property procedure, e.g. in ij: CALL
> > SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY (
> > 'derby.connection.requireAuthentication', 'true' );
> >
> > and then shutting down the database engine and reconnecting to the
> > database, as the derby.connection.requireAuthentication property is a
> > static property. For a discussion of static vs. dynamic properties,
> > see the Tuning guide, specifically:
> >
> > http://db.apache.org/derby/docs/10.2/tuning/ctunsetprop44147.html
> > http://db.apache.org/derby/docs/10.2/tuning/rtunproper27467.html
> >
> > If you are connecting to the database over a network, you should
> > consider using a non-cleartext password security mechanism, discussed
> > in the server and admin guide here:
> >
> > http://db.apache.org/derby/docs/10.2/adminguide/cadminapps49914.html
> >
> > Anyway now that all the necessary properties are set, you need to
> > connect to the database with the user and password you set, since
> > authentication is enabled, by adding the appropriate user and password
> > attributes to the JDBC URL, e.g. in ij:
> >
> > connect 'jdbc:derby:myDB;user=andrew;password=newderbyuser';
> >
> > Note that this puts the user by default into the schema of their own
> > username. e.g. if you create a table foo after you log in, it will be
> > in the ANDREW schema, i.e. ANDREW.FOO.
> >
> > You can find further details for setting up user authentication in the
> > PDF that was linked earlier, and in the manuals, but those are the
> > basics.
> >
> > Did that help?
> >
> > cheers,
> > andrew
> >
>
>
>
> --
> _________________________________________________
>
>     Alexander Trauzzi

Mime
View raw message