[jira] Commented: (DERBY-3095) CALL SYSCS_UTIL.SYSCS_SET_USER_ACCESS(?, 'NOACCESS') FAILS

Sat, 06 Oct 2007 06:10:42 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-3095?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12532864
 ] 

EDAH-TALLY commented on DERBY-3095:
-----------------------------------

Please see Reproduce3095.zip which can reproduce the exception.

My understanding of the problem is as follows :

Derby creates users as SQL92Identifiers. The user name unless quoted is by 
default used in upper case when the user is added.
This should have been the same when the user is removed from the system. It 
seems that the user name is used as supplied and is not converted to upper 
case. So deleting a user might fail and it does silently. The user is still in 
the fullAccess list !!

It's a security issue that must be addressed.

A workarround is to use 

cs.setString(1, userName.toUpperCase()); //DERBY-3095 ISSUE
                cs.setString(2, null);

> CALL SYSCS_UTIL.SYSCS_SET_USER_ACCESS(?, 'NOACCESS') FAILS
> ----------------------------------------------------------
>
>                 Key: DERBY-3095
>                 URL: https://issues.apache.org/jira/browse/DERBY-3095
>             Project: Derby
>          Issue Type: Bug
>          Components: JDBC, Network Client
>    Affects Versions: 10.3.1.4
>         Environment: Linux 2.6.17-13mdv #1 SMP Fri Mar 23 15:18:36 EDT 2007 
> x86_64 AMD Athlon(tm) 64 Processor 3000+ GNU/Linux
>            Reporter: EDAH-TALLY
>
> Sorry to bother you again.
> CALL SYSCS_UTIL.SYSCS_SET_USER_ACCESS(?, 'NOACCESS') FAILS and here's the 
> stack trace : 
> ******************************************************************************************
> java.sql.SQLException: Droit d'accès 'NOACCESS' inconnu.
>         at 
> org.apache.derby.client.am.SQLExceptionFactory40.getSQLException(Unknown 
> Source)
>         at org.apache.derby.client.am.SqlException.getSQLException(Unknown 
> Source)
>         at org.apache.derby.client.am.PreparedStatement.execute(Unknown 
> Source)
>         at com.somecom.createUser(someAPP.java:190)
>         at com.somecom.grantKeys(someAPP.java:288)
>         at com.somecom.showGrantKeys(someAPP.java:269)
>         at com.somecom.MDIMenuClicked(someAPP.java:620)
>         at com.somecom.access$000(someAPP.java:15)
>         at com.somecom$5.actionPerformed(someAPP.java:564)
>         at 
> javax.swing.AbstractButton.fireActionPerformed(AbstractButton.java:1995)
>         at 
> javax.swing.AbstractButton$Handler.actionPerformed(AbstractButton.java:2318)
>         at 
> javax.swing.DefaultButtonModel.fireActionPerformed(DefaultButtonModel.java:387)
>         at 
> javax.swing.DefaultButtonModel.setPressed(DefaultButtonModel.java:242)
>         at javax.swing.AbstractButton.doClick(AbstractButton.java:357)
>         at 
> javax.swing.plaf.basic.BasicMenuItemUI.doClick(BasicMenuItemUI.java:1216)
>         at 
> javax.swing.plaf.basic.BasicMenuItemUI$Handler.mouseReleased(BasicMenuItemUI.java:1257)
>         at java.awt.Component.processMouseEvent(Component.java:6038)
>         at javax.swing.JComponent.processMouseEvent(JComponent.java:3260)
>         at java.awt.Component.processEvent(Component.java:5803)
>         at java.awt.Container.processEvent(Container.java:2058)
>         at java.awt.Component.dispatchEventImpl(Component.java:4410)
>         at java.awt.Container.dispatchEventImpl(Container.java:2116)
>         at java.awt.Component.dispatchEvent(Component.java:4240)
>         at 
> java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4322)
>         at 
> java.awt.LightweightDispatcher.processMouseEvent(Container.java:3986)
>         at java.awt.LightweightDispatcher.dispatchEvent(Container.java:3916)
>         at java.awt.Container.dispatchEventImpl(Container.java:2102)
>         at java.awt.Window.dispatchEventImpl(Window.java:2429)
>         at java.awt.Component.dispatchEvent(Component.java:4240)
>         at java.awt.EventQueue.dispatchEvent(EventQueue.java:599)
>         at 
> java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:273)
>         at 
> java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:183)
>         at 
> java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:173)
>         at 
> java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:168)
>         at 
> java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:160)
>         at java.awt.EventDispatchThread.run(EventDispatchThread.java:121)
> Caused by: org.apache.derby.client.am.SqlException: Droit d'accès 'NOACCESS' 
> inconnu.
>         at org.apache.derby.client.am.Statement.completeExecute(Unknown 
> Source)
>         at 
> org.apache.derby.client.net.NetStatementReply.parseEXCSQLSTTreply(Unknown 
> Source)
>         at 
> org.apache.derby.client.net.NetStatementReply.readExecuteCall(Unknown Source)
>         at org.apache.derby.client.net.StatementReply.readExecuteCall(Unknown 
> Source)
>         at org.apache.derby.client.net.NetStatement.readExecuteCall_(Unknown 
> Source)
>         at org.apache.derby.client.am.Statement.readExecuteCall(Unknown 
> Source)
>         at org.apache.derby.client.am.PreparedStatement.flowExecute(Unknown 
> Source)
>         at org.apache.derby.client.am.PreparedStatement.executeX(Unknown 
> Source)
>         ... 34 more
> *********************************************************************************************
> FULLACCESS : OK
> READONLYACCESS : OK
> NOACCESS : FAILURE
> By the way, the CONNECTION_PERMISSION parameter in the documentation is not 
> up to date.
> Thank you for considering.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to