Hi Rob,
If I understand your needs correctly, you want to be able to do the
following:
1) Store credentials in a database managed by a Derby NetworkServer.
2) Prevent random users from creating databases on the server machine by
running ij from their client desktops.
Unfortunately, you don't have a lot of options with Derby's BUILTIN
authentication scheme. Either a) you expose the plaintext credentials in
system properties or the derby.properties file, or b) you store the
credentials in a Derby database where they can't be used to authenticate
system-wide operations like database creation and engine shutdown. I
believe that your options are:
A) Use LDAP authentication on the server machine. See
http://db.apache.org/derby/docs/10.8/devguide/devguide-single.html#cdevcsecure38522
B) Write your own custom authenticator which runs on the server machine
and stores credentials in a Derby database. See
http://db.apache.org/derby/docs/10.8/publishedapi/jdbc4/
C) Wait for release 10.9. In 10.9 we expect to introduce NATIVE
authentication. NATIVE authentication will store credentials in a Derby
database and let you use them to authenticate system-wide operations
like database creation and engine shutdown. For more information, see
the UserManagement.html spec attached to DERBY-866.
Hope this helps,
-Rick
On 1/17/12 12:06 PM, Robert DiPietro wrote:
Thanks for your response Kristian.
Following your ij session... it works and access to the 'mdb' instance is
restricted to the 'mdb' database user. But someone can then still run ij and
create other databases and users. This is what I am trying to avoid.
I was hoping there was a way to do this without having a system level
username/password defined in derby.properties in plain text.
So is that possible?
Thanks again,
Rob DiPietro
-----Original Message-----
From: Kristian Waagan [mailto:[email protected]]
Sent: Tuesday, January 17, 2012 1:52 AM
To: [email protected]
Subject: Re: Authentication and passwords in derby.properties
On 16.01.12 16:05, Robert DiPietro wrote:
Hi Knut,
Thanks for your response. I tried setting the properties with derby completely
lowercase and still don't seem to be having much luck with what I am trying to
do.
I have tried this a few different ways. Let me try to step through what I'm
doing (and trying to do) and maybe you'll catch where I am going wrong:
Here's what my derby.properties looks like (with auth disabled and the system
level user disabled).
#derby.connection.requireAuthentication=true
#derby.authentication.provider=BUILTIN
#derby.user.adminuser=adminpass
derby.drda.portNumber=9947
derby.drda.host=0.0.0.0
derby.infolog.append=true
derby.stream.error.file=C:/logs/javaserver_derby.log
We have Derby running inside of a Tomcat process/service. I use RazorSQL as my
interface to Derby.
So today I tried:
1. Create database/user via the connection string:
jdbc:derby://localhost:9947/mdb;create=true;user=mdb;password=mdb
without specifying a username/password in the RazorSQL connection profile. This
works.
2. Modify the profile to use the mdb user/pass and remove the connection string
parameters and connect. This works.
3. Issue the following to Derby while logged in as MasterDB:
CALL
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.propertiesOnly'
,'true'); CALL
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthen
tication', 'true'); CALL
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider'
, 'BUILTIN');
This works, and I can still log in.
Hi,
When I perform the above steps, I'm not able to log into the database at all.
If I additionally do
CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.mdb', 'mdb'); , I
can only connect with that user/pass.
Here's from the ij session:
ij> connect 'jdbc:derby:mdb;create=true;user=mdb;password=mdb';
ij> CALL
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.propertiesOnly','true');
0 rows inserted/updated/deleted
ij> CALL
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication',
'true');
0 rows inserted/updated/deleted
ij> CALL
SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider',
'BUILTIN');
0 rows inserted/updated/deleted
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.mdb',
'mdb');
0 rows inserted/updated/deleted
ij> disconnect;
ij> connect 'jdbc:derby:mdb;shutdown=true;user=mdb;password=mdb';
ERROR 08006: Database 'mdb' shutdown.
ij> connect 'jdbc:derby:mdb';
ERROR 08004: Connection authentication failure occurred. Reason:
Invalid authentication..
ij> connect 'jdbc:derby:mdb;user=mdb;password=incorrect';
ERROR 08004: Connection authentication failure occurred. Reason:
Invalid authentication..
ij> connect 'jdbc:derby:mdb;user=mdb;password=mdb';
ij> disconnect;
ij> connect 'jdbc:derby:mdb;shutdown=true';
ERROR 08004: Connection authentication failure occurred. Reason:
Invalid authentication..
ij> connect 'jdbc:derby:mdb;shutdown=true;user=mdb;password=mdb';
ERROR 08006: Database 'mdb' shutdown.
ij>
When using the BUILTIN scheme, users defined in derby.properties are
system-wide, whereas users defined as database properties are specific
to that database.
Regards,
