Return-Path: 
 <derby-user-return-14316-apmail-db-derby-user-archive=db.apache.org@db.apache.org>
X-Original-To: apmail-db-derby-user-archive@www.apache.org
Delivered-To: apmail-db-derby-user-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 0B6D996BE
	for <apmail-db-derby-user-archive@www.apache.org>;
 Fri, 20 Apr 2012 15:51:15 +0000 (UTC)
Received: (qmail 69612 invoked by uid 500); 20 Apr 2012 15:51:14 -0000
Delivered-To: apmail-db-derby-user-archive@db.apache.org
Received: (qmail 69535 invoked by uid 500); 20 Apr 2012 15:51:14 -0000
Mailing-List: contact derby-user-help@db.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:derby-user-help@db.apache.org>
list-unsubscribe: <mailto:derby-user-unsubscribe@db.apache.org>
List-Post: <mailto:derby-user@db.apache.org>
List-Id: <derby-user.db.apache.org>
Reply-To: "Derby Discussion" <derby-user@db.apache.org>
Delivered-To: mailing list derby-user@db.apache.org
Received: (qmail 69528 invoked by uid 99); 20 Apr 2012 15:51:13 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Apr 2012 15:51:13 +0000
X-ASF-Spam-Status: No, hits=-5.0 required=5.0
	tests=RCVD_IN_DNSWL_HI,SPF_PASS,UNPARSEABLE_RELAY
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of rick.hillegas@oracle.com
 designates 148.87.113.117 as permitted sender)
Received: from [148.87.113.117] (HELO rcsinet15.oracle.com) (148.87.113.117)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 Apr 2012 15:51:04 +0000
Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94])
	by rcsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id
 q3KFoglv004585
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <derby-user@db.apache.org>; Fri, 20 Apr 2012 15:50:43 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157])
	by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q3KFofUK002639
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <derby-user@db.apache.org>; Fri, 20 Apr 2012 15:50:42 GMT
Received: from abhmt104.oracle.com (abhmt104.oracle.com [141.146.116.56])
	by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id
 q3KFof48023779
	for <derby-user@db.apache.org>; Fri, 20 Apr 2012 10:50:41 -0500
Received: from dhcp-rmdc-twvpn-1-vpnpool-10-159-2-171.vpn.oracle.com
 (/10.159.2.171)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Fri, 20 Apr 2012 08:50:41 -0700
Message-ID: <4F9185C6.6020203@oracle.com>
Date: Fri, 20 Apr 2012 08:50:30 -0700
From: Rick Hillegas <rick.hillegas@oracle.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.7; en-US;
 rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: derby-user@db.apache.org
Subject: Re: User authorisation
References: 
 <CADuAvzdYCGK=b0WEMSTLkrQad-feKa5fMK2ScA2HXKY2FSKsOQ@mail.gmail.com>
In-Reply-To: 
 <CADuAvzdYCGK=b0WEMSTLkrQad-feKa5fMK2ScA2HXKY2FSKsOQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Source-IP: ucsinet22.oracle.com [156.151.31.94]
X-CT-RefId: str=0001.0A090204.4F9185D3.0068,ss=1,re=0.000,fgs=0
X-Virus-Checked: Checked by ClamAV on apache.org

Hi Trejkaz,

I do not see any responses to your email yet. I did not respond 
immediately because I was not sure what help you wanted from the 
community. Maybe other people were confused too.

It sounds as though you have written your own custom authenticator 
backed by a database which maintains the following information:

a) Credentials for legal users. The credentials are system-wide so that 
a user does not need to remember a different name/password pair for each 
database.

b) A binding of databases to the users who are allowed to connect to 
them. Just because a user can connect to one database does not mean that 
they are allowed to connect to all databases.

I am not sure whether you are the asking the community for the following 
advice:

1) Is there an off-the-shelf, commodity-tested UserAuthenticator which 
does what's described above?

2) ...or does Derby actually provide tools to configure what's described 
above? Derby's security documentation is hard to follow and it's not 
clear whether you can solve this problem with Derby-supplied features.

3) ...or something else?

I can't answer (1) but maybe someone else in the community is aware of 
off-the-shelf solutions in this area.

Concerning (2):

As you know, Derby supplies 3 authentication schemes:

i) Custom-written (that's what you're doing)

ii) Forwarding to an external LDAP service

iii) BUILTIN credentials. This scheme is not safe for production use and 
is only appropriate for testing purposes.

In 10.9, Derby will introduce a fourth authentication scheme:

iv) NATIVE authentication. This provides a package of procedures for 
maintaining user credentials in a Derby database. Think of it as a new 
form of BUILTIN credentials, which is safer, easier to administer, and 
appropriate for production use.

Any of these schemes (except BUILTIN) can be used for purpose (a) above.

Derby also supplies two authorization schemes, each of which can be 
configured per-database:

I) Coarse-grained authorization. This controls who can connect to the 
database and perform read and write operations there. By setting the 
derby.database.defaultConnectionMode property to the value noAccess, you 
can prevent anyone from connecting to a database. Then by setting 
derby.database.fullAccessUsers to a list of valid user names, you can 
relax that restriction, allowing just those users to connect to the 
database. This may achieve purpose (b) above.

II) Fine-grained authorization. This is the SQL Standard GRANT/REVOKE 
style of controlling who can read/write data and execute 
functions/procedures. This does not allow you to control who can connect 
to a database, but it does permit you to control what they can do once 
they have connected. When fine-grained SQL authorization is enabled, a 
user starts out only being able to use tables, views, functions, and 
procedures in their own schema. Other users can GRANT broader access to 
their own SQL objects.

I don't know whether any of this is useful to you, but I wanted to 
summarize some of Derby's security features which might not be easy to 
understand just by reading the user manuals.

Hope this helps,
-Rick





On 4/15/12 7:24 PM, Trejkaz wrote:
> Hi all.
>
> We are using a custom UserAuthenticator to integrate Derby into our
> own user database.
>
> At the moment, this custom UserAuthenticator is also doing the job of
> tracking who can open which database. So of course when we deny
> someone because they don't have access, the error message they get is
> along the lines of "incorrect username or password".
>
> Is there something like a UserAuthoriser which would be more
> appropriate for this task?
>
> I see that there is a lot of documentation about permissions in the
> Derby documentation but all the docs I can find seem to tie into JVM
> security, which we're deliberately not using for performance reasons.
> We only want the coarsest level of security where we can control who
> can connect to which database.
>
> TX
>