You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Daniel John Debrunner (JIRA)" <ji...@apache.org> on 2008/02/27 21:09:51 UTC
[jira] Created: (DERBY-3477) Make format principal names in
SystemPermission (e.g. policy files) match the standard way Derby handles
authorization identifiers in a Java context.
Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Key: DERBY-3477
URL: https://issues.apache.org/jira/browse/DERBY-3477
Project: Derby
Issue Type: Sub-task
Components: Security
Reporter: Daniel John Debrunner
Expected format described in:
https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537
Comments in DERBY--2109 around patch 10 indicate some issue around implementing this, it would be good to see the code that attempted to implement it to help figure out the problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-3477) Make format principal names in
SystemPermission (e.g. policy files) match the standard way Derby handles
authorization identifiers in a Java context.
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-3477:
---------------------------------
Component/s: Services
> Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3477
> URL: https://issues.apache.org/jira/browse/DERBY-3477
> Project: Derby
> Issue Type: Sub-task
> Components: Services
> Reporter: Daniel John Debrunner
>
> Expected format described in:
> https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537
> Comments in DERBY--2109 around patch 10 indicate some issue around implementing this, it would be good to see the code that attempted to implement it to help figure out the problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3477) Make format principal names in
SystemPermission (e.g. policy files) match the standard way Derby handles
authorization identifiers in a Java context.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12574607#action_12574607 ]
Daniel John Debrunner commented on DERBY-3477:
----------------------------------------------
Given the way that jvm's handle principals in policy files, namely equality is based upon the Prinicipal's class name and return from getName I think the only conclusion is that the format of the name for Derby's SystemPrinicipal is the common normal form of the name.
principal org.apache.derby.authentication.SystemPrinicipal "FRED"; // cnf of fred (JDBC user name as a Java literal could be "FRED" or "fred")
principal org.apache.derby.authentication.SystemPrinicipal "fred"; // cnf of fred ( JDBC user name as a Java literal is "\"fred\"")
principal org.apache.derby.authentication.SystemPrinicipal "fred@acme.com"; // cnf of fred@acme.com ( JDBC user name as a Java literal is "\"fred@acme.com\"")
> Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3477
> URL: https://issues.apache.org/jira/browse/DERBY-3477
> Project: Derby
> Issue Type: Sub-task
> Components: Security
> Reporter: Daniel John Debrunner
>
> Expected format described in:
> https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537
> Comments in DERBY--2109 around patch 10 indicate some issue around implementing this, it would be good to see the code that attempted to implement it to help figure out the problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3477) Make format principal names in
SystemPermission (e.g. policy files) match the standard way Derby handles
authorization identifiers in a Java context.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573594#action_12573594 ]
Daniel John Debrunner commented on DERBY-3477:
----------------------------------------------
I think this work-around in the current format permission handling introduces a security hole:
+ principals.add(new SystemPrincipal(user));
+ principals.add(new SystemPrincipal(getAuthorizationId(user)));
This jumps out as wrong to me as SystemPrincipal is being passed a user names in two forms, one in a string form that corresponds to a SQL identifier format (including support for delimited identifiers), the other in a common-normal-form. Any time one passes different concepts to the same code it's a recipe for bugs.
Say the user name is a delimited identifier, user="fred", e.g. in a java program the URL might look like:
String url = "jdbc:derby:db;user=\"fred\";password=8dkkw";
then the common form of the name is fred. Then the Subject has two SystemPrincipals "fred" and fred.
Now a grant in the policy file of
grant principal org.apache.derby.authentication.SystemPrincipal "fred";
will successfully grant the permission to this user. Though the intention is that the permission is granted to the authentication id that has FRED as its cnf.
Now lets see what happens is the user=fred, ie.
String url = "jdbc:derby:db;user=fred;password=de7343";
thus it has a cnf of FRED. Thus the subject has two SystemPrincipals, fred and FRED
Now that previous grant also works for this user.
Thus a single grant that was intended for a single user actually satisfies two users, that's a security hole.
> Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3477
> URL: https://issues.apache.org/jira/browse/DERBY-3477
> Project: Derby
> Issue Type: Sub-task
> Components: Security
> Reporter: Daniel John Debrunner
>
> Expected format described in:
> https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537
> Comments in DERBY--2109 around patch 10 indicate some issue around implementing this, it would be good to see the code that attempted to implement it to help figure out the problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (DERBY-3477) Make format principal names in
SystemPermission (e.g. policy files) match the standard way Derby handles
authorization identifiers in a Java context.
Posted by "Daniel John Debrunner (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573538#action_12573538 ]
Daniel John Debrunner commented on DERBY-3477:
----------------------------------------------
I reproduced the behaviour described in DERBY-2109 with the JVM using the principal_name from the policy file as-is and not obeying the semantics of the Principal implementation. I investigated some more and ended up asking a question over on dev@harmony.apache.org: Here's the thread, no replies yet:
http://mail-archives.apache.org/mod_mbox/harmony-dev/200802.mbox/%3c47C708C2.7050509@apache.org%3e
> Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3477
> URL: https://issues.apache.org/jira/browse/DERBY-3477
> Project: Derby
> Issue Type: Sub-task
> Components: Security
> Reporter: Daniel John Debrunner
>
> Expected format described in:
> https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537
> Comments in DERBY--2109 around patch 10 indicate some issue around implementing this, it would be good to see the code that attempted to implement it to help figure out the problem.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.