Rick Hillegas wrote:
Daniel John Debrunner wrote:
Rick Hillegas (JIRA) wrote:
[
https://issues.apache.org/jira/browse/DERBY-1387?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12565836#action_12565836
]
Rick Hillegas commented on DERBY-1387:
--------------------------------------
I believe the reason that I was not able to connect at the end of my
experiment was this: the server was actually brought down. Again,
without presenting credentials, this seems like the wrong behavior to
me.
Isn't that Derby's behaviour at the moment, shutting the network
server down does not enforce authentication? Security enforcement
should not be the role of the JMX mbeans.
Dan.
Right. I think there are at least two authentication issues here. One is
the current behavior of the network server (the bug which will be
addressed by Martin's work on DERBY-2109). The other issue is the fact
that the current DERBY-1387 patch lets you get your hands on the server
and system MBeans without presenting credentials. It's that latter issue
which I'm talking about here.
What would be the issue with getting access to those mbeans without
authentication? Just trying to understand the concern.
Dan.
