[
https://issues.apache.org/jira/browse/DERBY-4579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12859781#action_12859781
]
Knut Anders Hatlen commented on DERBY-4579:
-------------------------------------------
Hi Kim,
This looks great. Thank you very much for writing it up! I only have a
couple of minor comments to the new section in the reference manual:
1) We should add one more sentence under "Function":
"If the property is NULL or an empty string, SHA-1 will be used on
the password only."
2) Under "Default", it says "If SHA-256 is not available, the default
is SHA-1 on the password only." The last part should be changed to
"(...), the default is SHA-1."
3) Under "Dynamic or static", we may want to add that the setting only
affects passwords that are updated after the property has been
changed. Existing passwords are not touched.
> Document the configurable hash authentication scheme
> ----------------------------------------------------
>
> Key: DERBY-4579
> URL: https://issues.apache.org/jira/browse/DERBY-4579
> Project: Derby
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: 10.6.0.0
> Reporter: Knut Anders Hatlen
> Assignee: Kim Haase
> Attachments: DERBY-4579.diff, DERBY-4579.stat, DERBY-4579.zip
>
>
> DERBY-4483 adds the ability to configure which message digest algorithm to
> use to protect the passwords that are stored in the database when using
> BUILTIN authentication.
> I think these changes are required:
> * Reference manual: Document the new database property
> derby.authentication.builtin.algorithm. It's a dynamic property that can be
> set either on database level or on system level. Its value is the name of a
> message digest algorithm available from one of the Java Cryptography
> Extension providers registered in the JVM. Example values: MD5, SHA-256,
> SHA-512. The specified algorithm will be applied on the concatenation of the
> user name and the password before it's stored in the database. If the
> property is NULL or the empty string, the old algorithm (SHA-1 on the
> password only) is applied instead.
> * Developer's guide: Mention the property in "List of user authentication
> properties"
> * Server and admin guide: In the table in section "Network client security",
> mention that strong password substitution cannot be used to connect as a user
> whose password has been stored with the new scheme. I'd suggest changing the
> following sentence:
> Strong password substitution cannot be used with external Derby
> authentication schemes (for example, LDAP).
> And replacing it with something like:
> Strong password substitution can only be used with Derby's NONE and
> BUILTIN authentication schemes. Also, for the BUILTIN scheme, it does not
> work for database-level users whose password has been protected by a custom
> message digest algorithm specified by the
> derby.authentication.builtin.algorithm property.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
