Rick Hillegas wrote:
I am trying to figure out how Derby BUILTIN and LDAP authentication can
be used without storing a master password in plaintext. I would
appreciate the community's advice.
1) With BUILTIN authentication, there is no encrypted storage for
server-wide credentials. E.g., the credentials needed to authenticate
and bring down the Derby engine. I think that these credentials must be
supplied in plaintext either in derby.properties or in the script which
starts the server.
I think this is true, and it's a pity. It's a classical problem, though, see
e.g. [1]. It helps setting the file permissions so that derby.properties is
readable only by the user running the Network Server, but you would have to rely
on additional layers of security as well.
Is there a recommended workaround for this vulnerability?
Not sure... Use a different (non-BUILTIN) authentication provider?
[1]: http://www.perlmonks.org/?node_id=441605
--
John
