[
https://issues.apache.org/jira/browse/DERBY-3532?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12739839#action_12739839
]
Lily Wei commented on DERBY-3532:
---------------------------------
I am hesitating to decide having lightweight check in network server for each
client request to see if the embedded engine is running. If there is any good
suggestion, I will be happy to try.
I am trying to fix the test problem in junit regarding when network service
server is shutting down it is using an embedded data source. First try, I
change DriverManagerConnector.shutEngine and hope to shutengine with network
server URL instead of embedded URL. However, if I use jdbcclient.getUrlBase(),
I will get error like:
Caused by: org.apache.derby.client.am.SqlException: The URL
'jdbc:derby://localhost:1527/' is not properly formed.
Second try, If I take out the extra "/" from JDBCClient.DERBYNETCLIENT, I will
get error:
Caused by: java.sql.SQLException: Database '/localhost:1527/' not found.
Is there any particular reason we put comment "Always shutsdown using the
embedded URL thus this method will not work in a remote testing environment."
in DriverManagerConnector.shutEngine()?" I think the writer is reading my mind
now. I am open to any suggestion.
> Invalid & possibly skipped authentication handling when shutting down the
> network server.
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-3532
> URL: https://issues.apache.org/jira/browse/DERBY-3532
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.4.1.3, 10.5.1.1
> Reporter: Daniel John Debrunner
> Priority: Critical
> Attachments: ReproDerby3532.java, ReproDerby3532.java
>
>
> In NetworkServerControlImpl.checkShutdownPrivileges() code fetches the
> internal authentication service to perform user authentication.
> However if no such authentication service is found (null is returned) then
> authentication is bypassed, this has the potential of being a security hole.
> The discussion in DERBY-2109 indicated that even with authentication NONE,
> there is still an internal authentication service, thus null is not a valid
> return when getting the internal authentication service. A secure fail safe
> system would be to not bypass authentication if null is returned.
> I tried removing the check for null in the method and that lead to
> NullPointerExceptions. This means that something wrong is going on and very
> possibly no authentication checks are actually being made when shutting down
> the network server.
> The null return might be due to checking the authentication after Derby has
> been shutdown.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
