[
https://issues.apache.org/jira/browse/DERBY-3681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598953#action_12598953
]
Knut Anders Hatlen commented on DERBY-3681:
-------------------------------------------
Hi Dag,
The code in EmbedConnection looks good. One minor nit: @code{lcc} in the
javadoc should have been [EMAIL PROTECTED] lcc}, I think. And, by the way,
would it make sense to hide the version check in a helper method, for instance
dd.supportsRoles()? I don't know how we usually check the dictionary version.
I'm not sure that the change in DriverManagerConnector is correct. Using the
default user ensures that the DBO is the same regardless of whether the
database was created in that test or not. Not sure if this matters to any of
the tests, though, I just wanted to raise the issue.
In RolesTest, I think this code should be simplified:
+ Connection cn = null;
+ try {
+ // should work, not defined as a role yet
+ cn = openDefaultConnection("soonarole","whatever");
+ } finally {
+ try {
+ if (cn != null) {
+ cn.close();
+ }
+ } catch (SQLException e) {
+ }
+ }
As it is now, if openDefaultConnection() incorrectly returns null, it is
silently ignored. Also, exceptions from cn.close() are swallowed. Couldn't it
be replaced with this one-liner:
openDefaultConnection("soonarole", "whatever").close();
It's simpler, and it would fail on null values and SQLExceptions. (For
readability, I would perhaps also have removed the finally clause in the
try/finally near the end of testLoginWithUsernameWhichIsARole() too, but there
it wouldn't have any effect on what is tested.)
> When authenticating a user at connect time, verify that the user provided is
> not also a defined role name.
> ----------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3681
> URL: https://issues.apache.org/jira/browse/DERBY-3681
> Project: Derby
> Issue Type: Sub-task
> Components: Security
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3681-1.diff, derby-3681-1.stat
>
>
> Although we try to avoid creating role that are not also valid Derby users
> (see DERBY-3673), we cannot
> in general know for sure that no such user exists; it could be added to
> derby.properties after
> the role has been created, authentication could be LDAP or user-defined, in
> which cases
> the check at role creation time will not work. So, in order to avoid
> collisions between user identifiers and role identifiers, we shoudl check at
> connect time that there is no role by same name as the supplied user name.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
