I am trying to figure out how Derby BUILTIN and LDAP authentication can
be used without storing a master password in plaintext. I would
appreciate the community's advice.
1) With BUILTIN authentication, there is no encrypted storage for
server-wide credentials. E.g., the credentials needed to authenticate
and bring down the Derby engine. I think that these credentials must be
supplied in plaintext either in derby.properties or in the script which
starts the server.
2) With LDAP authentication, I think that the master LDAP password
(derby.authentication.ldap.searchAuthPW must be stored in plaintext the
same way.
Am I confused? Is there a recommended workaround for this vulnerability?
Thanks,
-Rick
