db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <Richard.Hille...@Sun.COM>
Subject Re: extend user authentication for storing user roles
Date Tue, 09 Jun 2009 13:35:21 GMT
Hi Damian,

You may be able to get what you want by doing the following:

1) Create a table which stores credentials and roles, as you've described

2) Write a user-defined authenticator, which uses that table in order to 
perform database-side authentication

Plugging in a user-defined authenticator should be easy. You need to 
write a class which implements 
org.apache.derby.authentication.UserAuthenticator. This is described in 
the Developer's Guide: 
http://db.apache.org/derby/docs/10.5/devguide/devguide-single.html#cdevcsecure42374 
Just scroll down to the section which shows an "Example of setting a 
user-defined class".

Hope this helps,
-Rick

Damian Hofmann wrote:
> Hi
>
> I'm new to derby an have a question about extending user authentication.
>
> I'm developing a multiuser rich client application that connects 
> directly to a derby server. The clients should authenticate themselves 
> via user name and password. Business logic requires, that each user is 
> given a user role. The user role tells the client, what features the 
> user may use and what features aren't permitted. My current idea is, 
> to create a user table with user name, password-hash and user-role. 
> This should work fine for users, that only use the client application.
>
> But I think there is a problem with this. The whole 
> authentication-logic only exists in the clients. The server still 
> isn't protected. Anyone with some knowledge about SQL can connect the 
> database server and do anything, ignoring the user permissions 
> completely. From the developers guide I've learned, that derby offers 
> an authentication mechanism to authenticate users to the database 
> system. This should prevent this scenario.
>
> I don't know how to best combine derby's user authentication with my 
> user roles table. Is there a way to extend the user authentication in 
> a way, not only user name and password are stored, but also additional 
> data? Or do you see another (better) way to satisfy both requirements? 
> Do I realy have to manage two sets of user data?
>
> Thanks for your advise
> Damian
>
>


Mime
View raw message