db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <rick.hille...@oracle.com>
Subject Re: AZQRE: Authentication and passwords in derby.properties
Date Tue, 17 Jan 2012 20:39:45 GMT
Hi Rob,

If I understand your needs correctly, you want to be able to do the 
following:

1) Store credentials in a database managed by a Derby NetworkServer.

2) Prevent random users from creating databases on the server machine by 
running ij from their client desktops.

Unfortunately, you don't have a lot of options with Derby's BUILTIN 
authentication scheme. Either a) you expose the plaintext credentials in 
system properties or the derby.properties file, or b) you store the 
credentials in a Derby database where they can't be used to authenticate 
system-wide operations like database creation and engine shutdown. I 
believe that your options are:

A) Use LDAP authentication on the server machine. See 
http://db.apache.org/derby/docs/10.8/devguide/devguide-single.html#cdevcsecure38522

B) Write your own custom authenticator which runs on the server machine 
and stores credentials in a Derby database. See 
http://db.apache.org/derby/docs/10.8/publishedapi/jdbc4/

C) Wait for release 10.9. In 10.9 we expect to introduce NATIVE 
authentication. NATIVE authentication will store credentials in a Derby 
database and let you use them to authenticate system-wide operations 
like database creation and engine shutdown. For more information, see 
the UserManagement.html spec attached to DERBY-866.

Hope this helps,
-Rick

On 1/17/12 12:06 PM, Robert DiPietro wrote:
> Thanks for your response Kristian.
>
> Following your ij session... it works and access to the 'mdb' instance is restricted
to the 'mdb' database user. But someone can then still run ij and create other databases and
users. This is what I am trying to avoid.
>
> I was hoping there was a way to do this without having a system level username/password
defined in derby.properties in plain text.
>
> So is that possible?
>
> Thanks again,
>
> Rob DiPietro
>
> -----Original Message-----
> From: Kristian Waagan [mailto:kristian.waagan@oracle.com]
> Sent: Tuesday, January 17, 2012 1:52 AM
> To: derby-user@db.apache.org
> Subject: Re: Authentication and passwords in derby.properties
>
> On 16.01.12 16:05, Robert DiPietro wrote:
>> Hi Knut,
>>
>> Thanks for your response. I tried setting the properties with derby completely lowercase
and still don't seem to be having much luck with what I am trying to do.
>>
>> I have tried this a few different ways. Let me try to step through what I'm doing
(and trying to do) and maybe you'll catch where I am going wrong:
>>
>> Here's what my derby.properties looks like (with auth disabled and the system level
user disabled).
>>
>> #derby.connection.requireAuthentication=true
>> #derby.authentication.provider=BUILTIN
>> #derby.user.adminuser=adminpass
>> derby.drda.portNumber=9947
>> derby.drda.host=0.0.0.0
>> derby.infolog.append=true
>> derby.stream.error.file=C:/logs/javaserver_derby.log
>>
>> We have Derby running inside of a Tomcat process/service. I use RazorSQL as my interface
to Derby.
>>
>> So today I tried:
>>
>> 1. Create database/user via the connection string:
>> jdbc:derby://localhost:9947/mdb;create=true;user=mdb;password=mdb
>> without specifying a username/password in the RazorSQL connection profile. This works.
>>
>> 2. Modify the profile to use the mdb user/pass and remove the connection string parameters
and connect. This works.
>>
>> 3. Issue the following to Derby while logged in as MasterDB:
>>
>> CALL
>> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.propertiesOnly'
>> ,'true'); CALL
>> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthen
>> tication', 'true'); CALL
>> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider'
>> , 'BUILTIN');
>>
>> This works, and I can still log in.
> Hi,
>
> When I perform the above steps, I'm not able to log into the database at all.
> If I additionally do
>     CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.mdb', 'mdb'); , I can only
connect with that user/pass.
>
> Here's from the ij session:
> ij>  connect 'jdbc:derby:mdb;create=true;user=mdb;password=mdb';
>
> ij>  CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.propertiesOnly','true');
>
> 0 rows inserted/updated/deleted
> ij>  CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication',
> 'true');
> 0 rows inserted/updated/deleted
> ij>  CALL
> SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider',
> 'BUILTIN');
> 0 rows inserted/updated/deleted
> ij>  CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.mdb',
> 'mdb');
> 0 rows inserted/updated/deleted
> ij>  disconnect;
>
> ij>  connect 'jdbc:derby:mdb;shutdown=true;user=mdb;password=mdb';
>
> ERROR 08006: Database 'mdb' shutdown.
> ij>  connect 'jdbc:derby:mdb';
> ERROR 08004: Connection authentication failure occurred.  Reason:
> Invalid authentication..
> ij>  connect 'jdbc:derby:mdb;user=mdb;password=incorrect';
> ERROR 08004: Connection authentication failure occurred.  Reason:
> Invalid authentication..
> ij>  connect 'jdbc:derby:mdb;user=mdb;password=mdb';
> ij>  disconnect;
> ij>  connect 'jdbc:derby:mdb;shutdown=true';
> ERROR 08004: Connection authentication failure occurred.  Reason:
> Invalid authentication..
> ij>  connect 'jdbc:derby:mdb;shutdown=true;user=mdb;password=mdb';
> ERROR 08006: Database 'mdb' shutdown.
> ij>
>
>
> When using the BUILTIN scheme, users defined in derby.properties are
> system-wide, whereas users defined as database properties are specific
> to that database.
>
>
> Regards,


Mime
View raw message