[
https://issues.apache.org/jira/browse/GERONIMO-4296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12790029#action_12790029
]
Han Hong Fang commented on GERONIMO-4296:
-----------------------------------------
I did a quick research on this topic, and propose a solution for tihs issue as
below.
1. enable user authentication in our embedded Derby server
2. use user-defined class as derby.authentication.provider. The user-defined
class should implements derby required public interface
org.apache.derby.authentication.UserAuthenticator
3. use Geronimo security realm (using the default realm named geronimo-admin)
to store the derby user ids and passwords. Set default user id/pwd in
geronimo-admin as dbadmin/manager, and put it into a new group name such as
derbyGroup. The information will be used in the implementation of user-defined
UserAuthenticator
4. set the default derby user id/pwd (i.e., dbadim/manager) into the deployment
plan of existing datasources (e.g., SystemDatabase) to make sure they works
after enabling user authentication in our embedded Derby server.
5. Geronimo user has the chance to modify derby user id/pwd by modifying the
property file behind geronimo-admin security realm, but he/she is required to
edit the datasources and var\config\config.xml if the default derby use
rid/pwd is changed.
I have a question related item 3, shall user in console admin group (e.g.,
system/manager) be used to log in our derby?
Your comments is also highly appreciated.
Janet
> Start Derby NetworkServerControl with credentials to prevent unauthorized
> shutdowns
> -----------------------------------------------------------------------------------
>
> Key: GERONIMO-4296
> URL: https://issues.apache.org/jira/browse/GERONIMO-4296
> Project: Geronimo
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Components: databases
> Affects Versions: 2.0.3, 2.1.3, 2.1.4, 2.2
> Reporter: Donald Woods
> Assignee: Donald Woods
> Priority: Minor
> Fix For: Wish List
>
>
> Use the new NetworkServerControl support in Derby 10.4.1.3 and later to start
> our embedded Derby server with credentials, to prevent any other apps on
> localhost from stopping our Derby instance. The following Derby release note
> details the scenario and the new API -
> http://db.apache.org/derby/releases/release-10.4.1.3.html#Note+for+DERBY-3585
> We could either use random uid/pwd values to start the Derby server, which
> would be the most secure, but would keep other apps from using our Derby
> server. The other option, would be to set uid/pwd GBean attributes and
> default the to the default system/manager values and leave it up to the user
> to change them.
> Note: This may also require some Samples, Testsuite and Portlet chagnes to
> handle the required DB auth.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
