[ http://issues.apache.org/jira/browse/DERBY-962?page=comments#action_12370422 ]
Kathey Marsden commented on DERBY-962: -------------------------------------- Sunitha said: >This variable is used to indicate that the security mechanism has not been >>set on datasource or connection request. I can change it to >SECMEC_DEFAULT >if that is preferred. >Its just that SECMEC_DEFAULT seems to suggest that it is the default >security >mechanism which it isnt. The default security mechanism for the client is >USRIDONL (0x04) I tend to think that the default security mechanism is not USRIDONLY but in fact is variable depending on whether password is specified and whether the JVM can support EUSRIDPPWD, but the name as you have it is ok. I don't feel that strongly about it. > Upgrade default security mechanism in client to use encrypted userid password > if client can support it. > ------------------------------------------------------------------------------------------------------- > > Key: DERBY-962 > URL: http://issues.apache.org/jira/browse/DERBY-962 > Project: Derby > Type: Improvement > Components: Network Client > Reporter: Sunitha Kambhampati > Assignee: Sunitha Kambhampati > Fix For: 10.2.0.0 > Attachments: 962_table.txt, Derby962_forreview.diff.txt, > Derby962_forreview.stat.txt > > Currently in the client, if userid and password are set in the connection > url, the default security mechanism is upgraded to USRIDPWD (which is clear > text userid and password). This seems to be a security hole here. > Current client driver supports encrypted userid/password (EUSRIDPWD) via the > use of DH key-agreement protocol - however current Open Group DRDA > specifications imposes small prime and base generator values (256 bits) that > prevents other JCE's (apt from ibm jce) to be used as java cryptography > providers. > Some thoughts: > -- client can make a check to see if it the jvm it is running in supports the > encryption necessary for EUSRIDPWD. If it supports, then the client can > upgrade to EUSRIDPWD. > -- if the jvm the client is running is , doesnt support encryption > requirements for EUSRIDPWD, then the security mechanism will be set to > USRIDPWD. > -- DERBY-528 will add support for strong userid and password which is another > option to send encrypted passwords across the wire. When this gets added, > maybe this can be considered as one of the upgrade options after EUSRIDPWD. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
