Print a security warning to derby.log and network server console if network
server is started with -h 0.0.0.0 and security manager, user authentication,
and ecrypted userid are not on
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Key: DERBY-1056
URL: http://issues.apache.org/jira/browse/DERBY-1056
Project: Derby
Type: Improvement
Components: Network Server, Security
Reporter: Kathey Marsden
Fix For: 10.2.0.0
Information and questions from the user list seem to indicate that often users
start network server with the -h 0.0.0.0 option without taking proper security
measures. I think it would be worthwhile to print a security warning the
console and derby.log if network server is starated without the proper security
in place.
Serious security issues exist when starting network server with the -h 0.0.0.0
option unless users
- Run in security manager with permissions restricted as much as possible.
- Enable user authentication
- Use encrypted userid/password (Currently only available with IBMJCE)
Even when started with the localhost default there can be security issues if
the machine itself is not secure.
An example of such an attack might include creating databases until the host
machine disk filled up, deleting all user data etc.
Related issues:
DERBY-65
DERBY-474
DERBY -528
DERBY-962
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
