[generic question] derby and password

[Xavier Vigouroux <Xa...@Sun.COM>]

Hi

In my project, I create a database that is access afterwards.
at creation, I would like to "secure" the access.

as a dummy question, what is the usual way to secure an access to the DB
whereas the user is never in the loop. All must be done 
programmatically?

is there a "challenge code"?

I am really a dummy in this area...

thanks

Re: [generic question] derby and password

[Sunitha Kambhampati <ks...@gmail.com>]

Xavier Vigouroux wrote:

> Hi
>
> In my project, I create a database that is access afterwards.
> at creation, I would like to "secure" the access.
>
> as a dummy question, what is the usual way to secure an access to the DB
> whereas the user is never in the loop. All must be done programmatically?
>
Can you elaborate on what you mean by 'secure' here...

If you want to restrict access to the database with respect to which 
user can connect to derby database, you could turn on  user authentication.

To set user authentication, the property is
derby.connection.requireAuthentication=true

Before this, you would have to set users that can access the database. 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure21547.html#cdevcsecure21547
 http://db.apache.org/derby/docs/dev/devguide/cdevcsecure36127.html

E.g. for default builtin authentication provided by derby, you would 
have to set the following property  to define a user 'sunitha' with 
password 'pwd'
derby.user.sunitha=pwd

Now to connect to derby, you would have to ensure that the userid, 
password combination is correct and valid , otherwise you will get the 
error 'Connection refused:Invalid authentication'.

$ java org.apache.derby.tools.ij
ij version 10.2
ij> connect 'jdbc:derby:testdb;create=true;user=sunitha;password=pwd';   
     
ij> connect 'jdbc:derby:testdb;create=true;user=sunitha;password=pwd2';
ERROR 08004: Connection refused : Invalid authentication.
ij> connect 'jdbc:derby:testdb;create=true;user=sunitha2;password=pwd2';
ERROR 08004: Connection refused : Invalid authentication.
ij>

HTH,
Sunitha.

Re: [generic question] derby and password

["Jean T. Anderson" <jt...@bristowhill.com>]

Xavier Vigouroux wrote:
> Hi
> 
> In my project, I create a database that is access afterwards.
> at creation, I would like to "secure" the access.
> 
> as a dummy question, what is the usual way to secure an access to the DB
> whereas the user is never in the loop. All must be done programmatically?

This isn't a dumb question at all -- it's an excellent question for 
Derby because you don't find derby databases in the typical place behind 
a locked door.

Derby has a bunch of strategies. Here's a quick overview to help you 
decide which one might be right for your application.

*Authentication* restricts access to a database (or all databases in a 
system) given a userid and password. Here's an into to authentication: 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure42374.html .

*Authorization* restricts access to objects in a database -- without a 
user in the loop, you might not need this, but here's info on it: 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure36595.html . 
Also, DERBY-464 adds grant/revoke, but isn't implemented yet.

*Encryption* lets you secure the physical database files -- it encrypts 
all the data in tables, indexes, temporary files, the transaction log. 
It's great for protecting databases on devices that can't be secured. 
Information is here: 
http://db.apache.org/derby/docs/dev/devguide/cdevcsecure24366.html .

You can also run your application under a Java 2 Security Manager, which 
is especially useful for when you want to allow remote client access 
using the Derby Network Server. Information is here: 
http://db.apache.org/derby/docs/dev/devguide/cdevcbabejdfj.html . 
However, be aware that the sample policy files aren't quite right 
(DERBY-701), so if you run into any problems, feel free to ask for help.

Dan Debrunner did a "Securing Data with Apache Derby" at ApacheCon US 
2004; you can download his presentation from 
http://db.apache.org/derby/papers/ApacheConUs04.html .

I'll be doing a "Apache Derby Security" presentation at ApacheCon US in 
December -- shameless plug.  :-) I'm hoping to see lots of users there.

regards,

-jean


ps. There's also a developerWorks tutorial that shows how to work with 
derby and signed jar files, but I haven't had time to look at it yet: 
http://www.ibm.com/developerworks/edu/os-dw-os-ad-buildapp.html