[
http://issues.apache.org/jira/browse/DERBY-962?page=comments#action_12370931 ]
Kathey Marsden commented on DERBY-962:
--------------------------------------
Hi Sunitha,
Looking at your diff I understand why the first @see was taken out because it
was not in a javadoc comment,
but these two were less clear to me.
It seems like it would be good instead to keep the @see but use the
@see #method(Type argname, Type argname,...) format for these two:
@@ -807,7 +807,7 @@
* return the security mechanism
* if security mechanism has not been set explicitly on datasource
* then upgrade the security mechanism to a more secure one if possible
- * @see #getUpgradedSecurityMechanism()
+ * See getUpgradedSecurityMechanism()
* @return the security mechanism
*/
public short getSecurityMechanism() {
@@ -819,7 +819,7 @@
* if security mechanism has not been set explicitly on datasource
* then upgrade the security mechanism to a more secure one if possible
* @param password password of user
- * @see #getUpgradedSecurityMechanism()
+ * See getUpgradedSecurityMechanism()
* @return the security mechanism
*/
public short getSecurityMechanism(String password) {
> Upgrade default security mechanism in client to use encrypted userid password
> if client can support it.
> -------------------------------------------------------------------------------------------------------
>
> Key: DERBY-962
> URL: http://issues.apache.org/jira/browse/DERBY-962
> Project: Derby
> Type: Improvement
> Components: Network Client
> Reporter: Sunitha Kambhampati
> Assignee: Sunitha Kambhampati
> Fix For: 10.2.0.0
> Attachments: 962_table.txt, Derby962.diff.txt, Derby962.stat.txt,
> Derby962_forreview.diff.txt, Derby962_forreview.stat.txt,
> d962_javadoc.diff.txt
>
> Currently in the client, if userid and password are set in the connection
> url, the default security mechanism is upgraded to USRIDPWD (which is clear
> text userid and password). This seems to be a security hole here.
> Current client driver supports encrypted userid/password (EUSRIDPWD) via the
> use of DH key-agreement protocol - however current Open Group DRDA
> specifications imposes small prime and base generator values (256 bits) that
> prevents other JCE's (apt from ibm jce) to be used as java cryptography
> providers.
> Some thoughts:
> -- client can make a check to see if it the jvm it is running in supports the
> encryption necessary for EUSRIDPWD. If it supports, then the client can
> upgrade to EUSRIDPWD.
> -- if the jvm the client is running is , doesnt support encryption
> requirements for EUSRIDPWD, then the security mechanism will be set to
> USRIDPWD.
> -- DERBY-528 will add support for strong userid and password which is another
> option to send encrypted passwords across the wire. When this gets added,
> maybe this can be considered as one of the upgrade options after EUSRIDPWD.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
