[jira] Updated: (DERBY-3271) Using BUILTIN authentication, I can't log in as database creator after storing credentials in the database.

[John H. Embretsen (JIRA)]

     [ 
https://issues.apache.org/jira/browse/DERBY-3271?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

John H. Embretsen updated DERBY-3271:
-------------------------------------

    Attachment: Derby3271Repro.java

I doubt this is related to the fact that one of the users is the database 
owner: If I specify -Dderby.user.fred=wilma on the command line as well, fred 
is also denied access on the second run.

However, I think there is a problem with the implementation of property 
precedence. According to the Tuning Guide, "system-wide properties set 
programmatically override database-wide properties and system-wide properties 
set in the derby.properties file" (where "programmatically" includes "on the 
command line"). (from 
http://db.apache.org/derby/docs/dev/tuning/ctunsetprop23308.html )

When I run the attached repro (Derby3271Repro.java) with a debugger, I see that 
the class 
org.apache.derby.impl.jdbc.authentication.BasicAuthenticationServiceImpl 
compares a hashed ("encrypted") version of the passed in password against the 
password defined as a system property if the property also exists as a database 
property, so password comparison fails (hash(pwd) != pwd). This is in contrast 
to what the documentation says.

See BasicAuthenticationServiceImpl.java, lines 194 ->.

Instead, I think the implementation should hash the user-supplied password 
before comparison only if the property is set as a database property and it is 
not set as a system property.  This way, cleartext will be compared to 
cleartext.

Does this make sense?


> Using BUILTIN authentication, I can't log in as database creator after 
> storing credentials in the database.
> -----------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3271
>                 URL: https://issues.apache.org/jira/browse/DERBY-3271
>             Project: Derby
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 10.3.1.4
>            Reporter: Rick Hillegas
>         Attachments: Derby3271Repro.java
>
>
> Using builtin authentication I am able to create a database and store 
> credentials for 2 users: the original database creator and a second user. 
> After that, I am able to reconnect as the second user but not as the original 
> database creator. My test case follows.
> ------------------------------
> Here is my command for running ij with authentication turned on:
> java \
>   -cp $CLASSPATH \
>   -Dderby.stream.error.logSeverityLevel=0 \
>   \
>   -Dderby.connection.requireAuthentication=true \
>   -Dderby.authentication.provider=BUILTIN \
>   -Dderby.user.builtindba=dummypassword \
>   \
>   org.apache.derby.tools.ij  myscript.sql
> Here is the first run of my script. This creates the database and stores 
> credentials for 2 users, including the connected user:
> ij version 10.4
> ij> --
> -- First try to connect as builtindba.
> --
> connect 
> 'jdbc:derby:derby_builtin;create=true;user=builtindba;password=dummypassword';
> ij> --
> -- If I can't connect as builtindba, try connecting as fred.
> --
> connect 'jdbc:derby:derby_builtin;create=true;user=fred;password=wilma';
> ERROR 08004: Connection authentication failure occurred.  Reason: Invalid 
> authentication..
> ij> --
> -- Store passwords in the database where they will be encrypted.
> --
> call syscs_util.syscs_set_database_property( 'derby.user.builtindba', 
> 'dummypassword' );
> 0 rows inserted/updated/deleted
> ij> call syscs_util.syscs_set_database_property( 'derby.user.fred', 'wilma' );
> 0 rows inserted/updated/deleted
> ij> values current_user;
> 1                                                                             
>                                                   
> --------------------------------------------------------------------------------------------------------------------------------
> BUILTINDBA                                                                    
>                                                   
> 1 row selected
> Here is the second run of my script. This fails to connect as the original 
> user but succeeds as the other user:
> ij version 10.4
> ij> --
> -- First try to connect as builtindba.
> --
> connect 
> 'jdbc:derby:derby_builtin;create=true;user=builtindba;password=dummypassword';
> ERROR 08004: Connection authentication failure occurred.  Reason: Invalid 
> authentication..
> ij> --
> -- If I can't connect as builtindba, try connecting as fred.
> --
> connect 'jdbc:derby:derby_builtin;create=true;user=fred;password=wilma';
> WARNING 01J01: Database 'derby_builtin' not created, connection made to 
> existing database instead.
> ij> --
> -- Store passwords in the database where they will be encrypted.
> --
> call syscs_util.syscs_set_database_property( 'derby.user.builtindba', 
> 'dummypassword' );
> 0 rows inserted/updated/deleted
> ij> call syscs_util.syscs_set_database_property( 'derby.user.fred', 'wilma' );
> 0 rows inserted/updated/deleted
> ij> values current_user;
> 1                                                                             
>                                                   
> --------------------------------------------------------------------------------------------------------------------------------
> FRED                                                                          
>                                                   
> 1 row selected

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.