geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From siss...@insession.com
Subject Securing the Derby Network Server in Geronimo - related to GERONIMO-342
Date Thu, 27 Jan 2005 04:37:06 GMT
Derby's DRDA (Distributed Relational Database Architecture) Network Server 
by default only listens for connections on the loopback address (which is 
a good default) and does not have authentication turned on.

Therefore on a multiuser O/S this level of security seems inadequate as 
any user on the localhost could connect to it using the DB2 Universal 
Connector (specifying any userid and password as it will be ignored by the 
server) and start creating databases/tables etc. 

Q1. Are there any plans on how a default Geronimo configuration would 
secure the embedded Derby Network Server?

Q2. What would be the best way to restrict the remote IP addresses that 
Derby will accept connections from (e.g. particular IP addresses)?  Should 
a policy file be used and passed to the JVM when starting Geronimo (see 
http://incubator.apache.org/derby/manuals/admin/hubprnt30.html ) or is 
there a better way for Geronimo?

Q3. Should we have some simple authentication enabled by shipping a sample 
geronimo\var\derby\derby.properties file that has something like the 
following?

#
#Security settings
#
derby.connection.requireAuthentication=true
derby.authentication.provider=BUILTIN
#
# User and password list for Derby BUILTIN authentication provider
#
derby.user.system=manager
derby.user.myapp=myapppswd

Thanks,

John

Mime
View raw message