db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Hillegas <rick.hille...@oracle.com>
Subject Re: Native authentication and password expiry date
Date Mon, 20 May 2013 13:05:42 GMT
On 5/20/13 5:21 AM, Thomas wrote:
> Rick Hillegas<rick.hillegas@...>  writes:
>
> I am running the 10.9.1.0 server using the basic security manager with the
> default security policy settings.
>
> Trying to inspect the system property settings from a stored procedure which
> includes using java.lang.System.getProperty() I am getting:
>
> Error: The exception 'java.security.AccessControlException: access denied
> ("java.util.PropertyPermission"
> "derby.authentication.native.passwordLifetimeMillis" "read")' was thrown
> while evaluating an expression.
> SQLState:  38000
> ErrorCode: -1
> Error: Java exception: 'access denied ("java.util.PropertyPermission"
> "derby.authentication.native.passwordLifetimeMillis" "read"):
> java.security.AccessControlException'.
> SQLState:  XJ001
> ErrorCode: 99999
>
> I tried adding the line
>    permission java.util.PropertyPermission "java.lang.System.getProperty",
> "read";
> to the security.policy file and restarted the server, but I am still getting
> the same error.
>
> Can someone please advise which addition/change to security.policy is
> exactely needed to prevent the error message? Would also be interested in
> getting a hint on security risk behind that I should consider prior to
> making that change? (if there would be none, I would suspect reading the
> system properties would be possible using the dafult configuration).
>
> Many thanks in advance.
>
>
Hi Thomas,

The grammar of permissions descriptors can be confusing. You may want to 
take a look at the template policy file which ships with Derby and at 
the section titled "Running Derby under a security manager" in the 
Developer's Guide: 
http://db.apache.org/derby/docs/10.10/devguide/index.html.

You will want to grant your application jars the following minimal 
permission:

   permission java.util.PropertyPermission 
"derby.authentication.native.passwordLifetimeMillis", "read";

...and if you need to read other Derby properties, you may want to 
broaden this permission to:

   permission java.util.PropertyPermission "derby.*", "read";

I don't see much security risk in letting your application read the 
Derby properties. Certainly not much risk in reading the password 
timeout property. The only security-sensitive Derby properties are the 
credentials properties used by the deprecated BUILTIN authentication scheme.

Hope this helps,
-Rick


Mime
View raw message