[ http://issues.apache.org/jira/browse/DERBY-1055?page=all ]
Sunitha Kambhampati updated DERBY-1055:
---------------------------------------
Attachment: Derby1055.diff.txt
Derby1055.stat.txt
This patch Derby1055.diff.txt fixes this jira issue completely. Explanation of
changes as follows:
I)Overview:
Client supports EUSRIDPWD(0x09) security mechanism and when this security
mechanism is used, it involves encrypting the userid and password and sending
across the wire. Encryption of userid and password is done using JCE. The class
org.apache.derby.client.am.EncryptionManager is responsible for handling the
encryption part - of adding a JCE provider and initialize the necessary
security objects.
II)Problem:
Running under security manager, and when using EUSRIDPWD security mechanism a
Security.AccessControlException is thrown at the
client.(java.security.AccessControlException: access denied
(java.security.SecurityPermission insertProvider.SunJCE)
This is because adding a jce provider is a privileged action and requires to be
added in a privileged block.
III)Fix:
1.In client.am.EncryptionManager constructor, the add of JCE provider now
happens in a privileged block.
An exception during adding a provider in privileged block is caught and
rethrown as a SqlException similar to how the other security exceptions are
thrown in the am.EncryptionManager constructor.
2.Modified derby_tests.policy file to add permissions to add JCE provider for
derbyclient.jar. Following permissions were added.
// These permissions are needed to load the JCE for encryption with Sun and
IBM
// Client uses JCE when using encrypted userid and password security mechanism
permission java.security.SecurityPermission "insertProvider.SunJCE";
permission java.security.SecurityPermission "insertProvider.IBMJCE";
Testing:
-- Enabled test to use securityMechanism=9 ( EUSRIDPWD - encrypted userid and
password) when using DriverManager for both DerbyNet and DerbyNetClient.
-- Enabled test to use securityMechanism=9 (EUSRIDPWD) when getting connection
via DataSource for DerbyNetClient framework only. There seems to be a bug in
JCC driver, as value set on datasource is not being used, it sends a security
mechanism of 3 (USRIDPWD) to the server. Hence this test is not enabled for
DerbyNet (JCC) framework.
-- Master Updates for different JVMs.
DerbyNetClient framework:
SUN JVM(131,141,142,15), IBM131 - no support for DH algorithm (prime of 32
bytes), hence security exception will be thrown for test case added. Updated
master file in master/DerbyNetClient/
IBM(141,142,15) - support available for DH algorithm (prime of 32 bytes). Hence
a new master file is added in master/DerbyNetClient/ibm14
DerbyNet framework:
SUN JVM(131,141,142,15), IBM131 - no support for DH algorithm (prime of 32
bytes), hence security exception will be thrown for test case added. Updated
master file in master/DerbyNet/
IBM(141,142,15) - support available for DH algorithm (prime of 32 bytes). Hence
a new master file is added in master/DerbyNet/ibm14
------------------------
Ran derbyall on Linux/IBM1.4.2 with sane jars OK(ie apart from the known
failures)
Ran the testSecMec test with following combinations OK on both DerbyNet (JCC
2.4) and DerbyNetClient frameworks.
Classes- Sun VMS: jdk131/jdk141/jdk142/jdk15 - all OK
IBM VMS: ibm131/ibm141/ibm142 - all OK
SANE and INSANE JARS - jdk142/jdk15/jdk13/ibm131/ibm142/ibm15 - all OK
svn stat:
M
java\testing\org\apache\derbyTesting\functionTests\tests\derbynet\testSecMec.java
M
java\testing\org\apache\derbyTesting\functionTests\master\DerbyNet\testSecMec.out
A java\testing\org\apache\derbyTesting\functionTests\master\DerbyNet\ibm14
A
java\testing\org\apache\derbyTesting\functionTests\master\DerbyNet\ibm14\testSecMec.out
M
java\testing\org\apache\derbyTesting\functionTests\master\DerbyNetClient\testSecMec.out
A
java\testing\org\apache\derbyTesting\functionTests\master\DerbyNetClient\ibm14
A
java\testing\org\apache\derbyTesting\functionTests\master\DerbyNetClient\ibm14\testSecMec.out
M
java\testing\org\apache\derbyTesting\functionTests\util\derby_tests.policy
M java\client\org\apache\derby\client\am\EncryptionManager.java
Can someone please review this change. Thanks.
=================
Other:
(As I looked at this issue,I realized there is a problem in the following
constructor in SqlException
public SqlException(LogWriter logwriter,
MessageId msgid, Object[] args, Throwable cause)
{
this(
logwriter,
msgutil_.getCompleteMessage(
msgid.msgid,
args),
ExceptionUtil.getSQLStateFromIdentifier(msgid.msgid),
ExceptionUtil.getSeverityFromIdentifier(msgid.msgid));
}
cause is being lost here. It seems to me, we should add setThrowable(cause) so
we dont lose track of it. I'll send out a separate mail to derby-dev for this.
)
------------------
> Security.AccessControlException in client under SecurityManager when trying
> to connect using EUSRIDPWD security mechanism
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-1055
> URL: http://issues.apache.org/jira/browse/DERBY-1055
> Project: Derby
> Type: Bug
> Components: Network Client
> Versions: 10.0.2.1, 10.0.2.0, 10.1.1.0, 10.1.1.1, 10.1.1.2, 10.1.2.0,
> 10.1.2.1, 10.1.2.2
> Environment: all
> Reporter: Sunitha Kambhampati
> Assignee: Sunitha Kambhampati
> Priority: Minor
> Fix For: 10.2.0.0
> Attachments: Derby1055.diff.txt, Derby1055.stat.txt
>
> When using EUSRIDPWD security mechanism, the JCE provider is added and since
> this is not in a privileged block, an accesscontrol exception is raised when
> trying to connect using EUSRIDPWD security mechanism, when client is run
> under security manager.
> Enabled test (T5) in testSecMec.java
> > T5:
> > jdbc:derby://xxxFILTERED_HOSTNAMExxx:xxxFILTEREDPORTxxx/wombat;user=neelima;password=lee;securityMechanism=9
> > - EXCEPTION Unexpected throwable caught
> > java.security.AccessControlException: access denied
> > (java.security.SecurityPermission insertProvider.SunJCE)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
