Return-Path: 
 <derby-user-return-14110-apmail-db-derby-user-archive=db.apache.org@db.apache.org>
X-Original-To: apmail-db-derby-user-archive@www.apache.org
Delivered-To: apmail-db-derby-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 198CD9A9D
	for <apmail-db-derby-user-archive@www.apache.org>;
 Fri, 13 Jan 2012 18:41:42 +0000 (UTC)
Received: (qmail 48607 invoked by uid 500); 13 Jan 2012 18:41:41 -0000
Delivered-To: apmail-db-derby-user-archive@db.apache.org
Received: (qmail 48534 invoked by uid 500); 13 Jan 2012 18:41:41 -0000
Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:derby-user-help@db.apache.org>
list-unsubscribe: <mailto:derby-user-unsubscribe@db.apache.org>
List-Post: <mailto:derby-user@db.apache.org>
List-Id: <derby-user.db.apache.org>
Reply-To: "Derby Discussion" <derby-user@db.apache.org>
Delivered-To: mailing list derby-user@db.apache.org
Received: (qmail 48526 invoked by uid 99); 13 Jan 2012 18:41:40 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 18:41:40 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [213.199.154.143] (HELO DB3EHSOBE005.bigfish.com)
 (213.199.154.143)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2012 18:41:32 +0000
Received: from mail39-db3-R.bigfish.com (10.3.81.251) by
 DB3EHSOBE005.bigfish.com (10.3.84.25) with Microsoft SMTP Server id
 14.1.225.23; Fri, 13 Jan 2012 18:41:10 +0000
Received: from mail39-db3 (localhost [127.0.0.1])	by mail39-db3-R.bigfish.com
 (Postfix) with ESMTP id 81BA522014C	for <derby-user@db.apache.org>; Fri, 13
 Jan 2012 18:41:10 +0000 (UTC)
X-SpamScore: 0
X-BigFish: VPS0(zzzz1202hzzz2dhc1ahc1bh2a8h668h839h944h)
X-Forefront-Antispam-Report: 
 CIP:67.52.158.60;KIP:(null);UIP:(null);IPV:NLI;H:EXCH1-COLO.accelrys.net;RD:rrcs-67-52-158-60.west.biz.rr.com;EFVD:NLI
Received: from mail39-db3 (localhost.localdomain [127.0.0.1]) by mail39-db3
 (MessageSwitch) id 1326480070274359_3902; Fri, 13 Jan 2012 18:41:10 +0000
 (UTC)
Received: from DB3EHSMHS010.bigfish.com (unknown [10.3.81.246])	by
 mail39-db3.bigfish.com (Postfix) with ESMTP id 3A1281E0204	for
 <derby-user@db.apache.org>; Fri, 13 Jan 2012 18:41:10 +0000 (UTC)
Received: from EXCH1-COLO.accelrys.net (67.52.158.60) by
 DB3EHSMHS010.bigfish.com (10.3.87.110) with Microsoft SMTP Server (TLS) id
 14.1.225.23; Fri, 13 Jan 2012 18:41:10 +0000
Received: from EXCH1-COLO.accelrys.net ([fe80::65ef:13d3:9d2f:15dd]) by
 EXCH1-COLO.accelrys.net ([fe80::65ef:13d3:9d2f:15dd%13]) with mapi; Fri, 13
 Jan 2012 10:40:58 -0800
From: Robert DiPietro <Robert.DiPietro@accelrys.com>
To: Derby Discussion <derby-user@db.apache.org>
Date: Fri, 13 Jan 2012 10:40:56 -0800
Subject: Authentication and passwords in derby.properties
Thread-Topic: Authentication and passwords in derby.properties
Thread-Index: AczSIuMLdDwN4TGIRS2DG/ultljNNw==
Message-ID: 
 <99FC70E9B6AD72468CD241D1D64D5F0C04497C3A8A@EXCH1-COLO.accelrys.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: accelrys.com

Hello!

I have been deving against a Derby DB on which requireAuthentication is tru=
e, the provider is built-in, and all users have been defined in the derby.p=
roperties file (so they are all system level users). This has been extremel=
y convenient in development, however there are obvious concerns about havin=
g the password stored in plaintext in a file.

Is it possible to require authentication in built-in mode, but have no syst=
em level users defined in derby.properties, rather only defined at database=
 level (stored internally on the database)?

For example, I have tried disabling requireAuthentication, logging in to th=
e system, creating a db, and then creating a user against it using these co=
mmands:

CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('Derby.database.propertiesOnly'=
,'true');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('Derby.connection.requireAuthen=
tication', 'true');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('Derby.authentication.provider'=
, 'BUILTIN');
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('Derby.user.username', 'passwor=
d');

Which seems to work, but then if I enable requireAuthentication in derby.pr=
operties, I can no longer log in. I guess this makes sense since the system=
 level property (and lack of user) overrides the database level property.

So back to my question, is it possible to access an instance in Derby using=
 only database users without having a system level user in derby.properties=
 in a way that prohibits people from connecting at a system level and doing=
 whatever they like?

I'm working with Derby 10.8.x. Reading through the various documentation ha=
s left me a bit confused and I figured I would reach out to the experts. Th=
ank you for any and all help.

Regards,

Rob DiPietro