You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ch...@apache.org on 2014/05/19 22:09:36 UTC
svn commit: r1596037 [9/13] - in /db/derby/docs/trunk: ./ src/security/
Added: db/derby/docs/trunk/src/security/rsecexudclass.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsecexudclass.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsecexudclass.dita (added)
+++ db/derby/docs/trunk/src/security/rsecexudclass.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<reference id="rsecexudclass" xml:lang="en-us">
+<title>Example of setting a user-defined class</title>
+<shortdesc>This is a very simple example of a class that implements the
+<codeph>org.apache.derby.authentication.UserAuthenticator </codeph>
+interface.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>user-defined classes<indexterm>setting</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<refbody>
+<example> <codeblock>import org.apache.derby.authentication.UserAuthenticator;
+import java.io.FileInputStream;
+import java.util.Properties;
+import java.sql.SQLException;
+<b>/**
+ * A simple example of a specialized Authentication scheme.
+ * The system property 'derby.connection.requireAuthentication'
+ * must be set to true, and 'derby.authentication.provider' must
+ * contain the full class name of the overridden authentication
+ * scheme, (that is, the name of this class).
+ *
+ * @see org.apache.derby.authentication.UserAuthenticator
+ */</b>
+public class MyAuthenticationSchemeImpl implements
+ UserAuthenticator {
+ private static final String USERS_CONFIG_FILE = "myUsers.cfg";
+ private static Properties usersConfig;
+
+ <b> // Constructor
+ // We get passed some Users properties if the
+ // authentication service could not set them as
+ // part of the System properties.
+ //</b>
+ public MyAuthenticationSchemeImpl() {
+ }
+
+<b> /* Static block where we load the users definition from a
+ users configuration file. */</b>
+ static {
+<b> /* Load users config file as Java properties.
+ File must be in the same directory where
+ <ph conref="../conrefs.dita#prod/productshortname"></ph> is started.
+ Otherwise, full path must be specified. */</b>
+ FileInputStream in = null;
+ usersConfig = new Properties();
+ try {
+ in = new FileInputStream(USERS_CONFIG_FILE);
+ usersConfig.load(in);
+ in.close();
+ } catch (java.io.IOException ie) {
+ <b>// No Config file. Raise error message</b>
+ System.err.println(
+ "WARNING: Error during Users Config file retrieval");
+ System.err.println("Exception: " + ie);
+ }
+ }
+
+<b> /**
+ * Authenticate the passed-in user's credentials.
+ * A more complex class could make calls
+ * to any external users directory.
+ *
+ * @param userName The user's name
+ * @param userPassword The user's password
+ * @param databaseName The database
+ * @param info Additional jdbc connection info.
+ * @exception SQLException on failure
+ */</b>
+ public boolean authenticateUser(String userName,
+ String userPassword,
+ String databaseName,
+ Properties info)
+ throws SQLException {
+<b> /* Specific Authentication scheme logic.
+ If user has been authenticated, then simply return.
+ If user name and/or password are invalid,
+ then raise the appropriate exception.
+
+ This example allows only users defined in the
+ users config properties object.
+
+ Check if the passed-in user has been defined for the system.
+ We expect to find and match the property corresponding to
+ the credentials passed in. */</b>
+ if (userName == null)
+ <b> // We do not tolerate 'guest' user for now.</b>
+ return false;
+<b>
+ /* Check if user exists in our users config (file)
+ properties set.
+ If we did not find the user in the users config set, then
+ try to find if the user is defined as a System property. */</b>
+ String actualUserPassword;
+ actualUserPassword = usersConfig.getProperty(userName);
+ if (actualUserPassword == null)
+ actualUserPassword = System.getProperty(userName);
+ if (actualUserPassword == null)
+ <b>// No such passed-in user found</b>
+ return false;
+ <b>// Check if the password matches</b>
+ if (!actualUserPassword.equals(userPassword))
+ return false;
+ <b>// Now, check if the user is a valid user of the database</b>
+ if (databaseName != null) {
+ <b>/* If database users restriction lists are present, then
+ check if there is one for this database and if so,
+ check if the user is a valid one for that database.
+ For this example, the only user we authorize in database
+ DarkSide is user 'DarthVader'. This is the only database
+ users restriction list we have for this example.
+ We authorize any valid (login) user to access the
+ OTHER databases in the system.
+ Note that database users ACLs could be set in the same
+ properties file or a separate one and implemented as you
+ wish. */</b>
+ if (databaseName.equals("DarkSide")) {
+ <b>// Check if user is a valid one</b>
+ if (!userName.equals("DarthVader"))
+ <b>// This user is not a valid one of the passed-in</b>
+ return false;
+ }
+ }
+ <b>// The user is a valid one in this database</b>
+ return true;
+ }
+}</codeblock></example>
+</refbody>
+</reference>
Propchange: db/derby/docs/trunk/src/security/rsecexudclass.dita
------------------------------------------------------------------------------
svn:eol-style = native
Added: db/derby/docs/trunk/src/security/rseclicense.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rseclicense.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rseclicense.dita (added)
+++ db/derby/docs/trunk/src/security/rseclicense.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,247 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<!--##### DO NOT CHANGE ANYTHING ABOVE THIS LINE #####-->
+<reference id="rseclicense" xml:lang="en-us">
+<title>License</title>
+<shortdesc></shortdesc>
+<prolog><metadata>
+<keywords><indexterm>Apache<indexterm>license</indexterm></indexterm></keywords>
+</metadata></prolog>
+<refbody>
+<section><title>The Apache License, Version 2.0</title>
+<codeblock>
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use,
+ reproduction, and distribution as defined by Sections 1 through
+ 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized
+ by the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under
+ common control with that entity. For the purposes of this
+ definition, "control" means (i) the power, direct or indirect,
+ to cause the direction or management of such entity, whether by
+ contract or otherwise, or (ii) ownership of fifty percent (50%)
+ or more of the outstanding shares, or (iii) beneficial ownership
+ of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making
+ modifications, including but not limited to software source code,
+ documentation source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or
+ Object form, that is based on (or derived from) the Work and
+ for which the editorial revisions, annotations, elaborations,
+ or other modifications represent, as a whole, an original work
+ of authorship. For the purposes of this License, Derivative
+ Works shall not include works that remain separable from, or
+ merely link (or bind by name) to the interfaces of, the Work
+ and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or
+ additions to that Work or Derivative Works thereof, that is
+ intentionally submitted to Licensor for inclusion in the Work
+ by the copyright owner or by an individual or Legal Entity
+ authorized to submit on behalf of the copyright owner. For the
+ purposes of this definition,
+ "submitted" means any form of electronic, verbal, or written
+ communication sent to the Licensor or its representatives,
+ including but not limited to communication on electronic mailing
+ lists, source code control systems, and issue tracking systems
+ that are managed by, or on behalf of, the Licensor for the
+ purpose of discussing and improving the Work, but excluding
+ communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a
+ Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal
+ Entity on behalf of whom a Contribution has been received by
+ Licensor and subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions
+ of this License, each Contributor hereby grants to You a
+ perpetual, worldwide, non-exclusive, no-charge, royalty-free,
+ irrevocable copyright license to reproduce, prepare Derivative
+ Works of, publicly display, publicly perform, sublicense, and
+ distribute the Work and such Derivative Works in Source or
+ Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have
+ made, use, offer to sell, sell, import, and otherwise transfer
+ the Work, where such license applies only to those patent claims
+ licensable by such Contributor that are necessarily infringed by
+ their Contribution(s) alone or by combination of their
+ Contribution(s) with the Work to which such Contribution(s) was
+ submitted. If You institute patent litigation against any entity
+ (including a cross-claim or counterclaim in a lawsuit) alleging
+ that the Work or a Contribution incorporated within the Work
+ constitutes direct or contributory patent infringement, then any
+ patent licenses granted to You under this License for that Work
+ shall terminate as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute
+ must include a readable copy of the attribution notices
+ contained within such NOTICE file, excluding those notices
+ that do not pertain to any part of the Derivative Works, in
+ at least one of the following places: within a NOTICE text
+ file distributed as part of the Derivative Works; within the
+ Source form or documentation, if provided along with the
+ Derivative Works; or, within a display generated by the
+ Derivative Works, if and wherever such third-party notices
+ normally appear. The contents of the NOTICE file are for
+ informational purposes only and do not modify the License.
+ You may add Your own attribution notices within Derivative
+ Works that You distribute, alongside or as an addendum to
+ the NOTICE text from the Work, provided that such additional
+ attribution notices cannot be construed as modifying the
+ License.
+
+ You may add Your own copyright statement to Your modifications
+ and may provide additional or different license terms and
+ conditions for use, reproduction, or distribution of Your
+ modifications, or for any such Derivative Works as a whole,
+ provided Your use, reproduction, and distribution of the Work
+ otherwise complies with the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state
+ otherwise, any Contribution intentionally submitted for
+ inclusion in the Work by You to the Licensor shall be under the
+ terms and conditions of this License, without any additional
+ terms or conditions. Notwithstanding the above, nothing herein
+ shall supersede or modify the terms of any separate license
+ agreement you may have executed with Licensor regarding such
+ Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the
+ trade names, trademarks, service marks, or product names of the
+ Licensor, except as required for reasonable and customary use
+ in describing the origin of the Work and reproducing the content
+ of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or
+ conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or
+ FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for
+ determining the appropriateness of using or redistributing the
+ Work and assume any risks associated with Your exercise of
+ permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and
+ grossly negligent acts) or agreed to in writing, shall any
+ Contributor be liable to You for damages, including any direct,
+ indirect, special, incidental, or consequential damages of any
+ character arising as a result of this License or out of the use
+ or inability to use the Work (including but not limited to
+ damages for loss of goodwill, work stoppage, computer failure or
+ malfunction, or any and all other commercial damages or losses),
+ even if such Contributor has been advised of the possibility of
+ such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by
+ reason of your accepting any such warranty or additional
+ liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied. See the License for the specific language governing
+ permissions and limitations under the License.
+</codeblock>
+</section>
+</refbody>
+</reference>
Propchange: db/derby/docs/trunk/src/security/rseclicense.dita
------------------------------------------------------------------------------
svn:eol-style = native
Added: db/derby/docs/trunk/src/security/rsecnetservbasic.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsecnetservbasic.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsecnetservbasic.dita (added)
+++ db/derby/docs/trunk/src/security/rsecnetservbasic.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<reference id="rsecnetservbasic" xml:lang="en-us">
+<title>Basic security policy template</title>
+<shortdesc>If you start the Network Server without specifying a security
+manager, the Network Server will install a default Java security manager that
+enforces a basic policy.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>Network Server<indexterm>basic policy</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<refbody>
+<section>
+<p> Note that the Network Server attempts to install a security manager only if
+you boot the server as the entry point of your VM. The Network Server will not
+attempt to install a security manager if you start the server from your
+application using the programmatic API described in
+"Starting the Network Server from a Java application" in the
+<ph conref="../conrefs.dita#pub/citadmin"></ph>.</p>
+<p>The following is a copy of the basic policy:</p>
+<codeblock>// This template policy file gives examples of how to configure the
+// permissions needed to run a <ph conref="../conrefs.dita#prod/productshortname"></ph> network server with the Java
+// Security manager.
+//
+grant codeBase "${derby.install.url}derby.jar"
+{
+ // These permissions are needed for everyday, embedded <ph conref="../conrefs.dita#prod/productshortname"></ph> usage.
+ //
+ permission java.lang.RuntimePermission "createClassLoader";
+ permission java.util.PropertyPermission "derby.*", "read";
+ permission java.util.PropertyPermission "user.dir", "read";
+
+ // The next two properties are used to determine if the VM is 32 or 64
+ // bit.
+ //
+ permission java.util.PropertyPermission "sun.arch.data.model", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+
+ permission java.io.FilePermission "${derby.system.home}","read";
+ permission java.io.FilePermission "${derby.system.home}${/}-",
+ "read,write,delete";
+
+ // This permission lets a DBA reload the policy file while the server
+ // is still running. The policy file is reloaded by invoking the
+ // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
+ //
+ permission java.security.SecurityPermission "getPolicy";
+
+ // This permission lets you backup and restore databases
+ // to and from arbitrary locations in your file system.
+ //
+ // This permission also lets you import/export data to and from
+ // arbitrary locations in your file system.
+ //
+ // You may want to restrict this access to specific directories.
+ //
+ permission java.io.FilePermission "<<ALL FILES>>",
+ "read,write,delete";
+
+ // Permissions needed for JMX based management and monitoring.
+ //
+ // Allows this code to create an MBeanServer:
+ //
+ permission javax.management.MBeanServerPermission "createMBeanServer";
+ //
+ // Allows access to <ph conref="../conrefs.dita#prod/productshortname"></ph>'s built-in MBeans, within the domain
+ // org.apache.derby.
+ // <ph conref="../conrefs.dita#prod/productshortname"></ph> must be allowed to register and unregister these MBeans.
+ // It is possible to allow access only to specific MBeans, attributes
+ // or operations. To fine tune this permission, see the javadoc of
+ // javax.management.MBeanPermission or the JMX Instrumentation and
+ // Agent Specification.
+ //
+ permission javax.management.MBeanPermission
+ "org.apache.derby.*#[org.apache.derby:*]",
+ "registerMBean,unregisterMBean";
+ //
+ // Trusts <ph conref="../conrefs.dita#prod/productshortname"></ph> code to be a source of MBeans and to register these in
+ // the MBean server.
+ //
+ permission javax.management.MBeanTrustPermission "register";
+
+ // getProtectionDomain is an optional permission needed for printing
+ // classpath information to derby.log
+ //
+ permission java.lang.RuntimePermission "getProtectionDomain";
+
+ // The following permission must be granted for
+ // Connection.abort(Executor) to work. Note that this permission
+ // must also be granted to outer (application) code domains.
+ //
+ permission java.sql.SQLPermission "callAbort";
+
+ // Needed by file permissions restriction system:
+ //
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+};
+
+grant codeBase "${derby.install.url}derbynet.jar"
+{
+ // This permission lets the Network Server manage connections from
+ // clients.
+
+ // Accept connections from any host. <ph conref="../conrefs.dita#prod/productshortname"></ph> is listening to the host
+ // interface specified via the -h option to "NetworkServerControl
+ // start" on the command line, via the address parameter to the
+ // org.apache.derby.drda.NetworkServerControl constructor in the API
+ // or via the property derby.drda.host; the default is localhost.
+ // You may want to restrict allowed hosts, e.g. to hosts in a specific
+ // subdomain, e.g. "*.example.com".
+ //
+ permission java.net.SocketPermission "*", "accept";
+
+ // Allow the server to listen to the socket on the default port (1527).
+ // If you have specified another port number with the -p option to
+ // "NetworkServerControl start" on the command line, or with the
+ // portNumber parameter to the NetworkServerControl constructor in the
+ // API, or with the property derby.drda.portNumber, you should change
+ // the port number in the permission statement accordingly.
+ //
+ permission java.net.SocketPermission "localhost:1527", "listen";
+
+ // Needed for server tracing.
+ //
+ permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
+ "read,write,delete";
+
+ // Needed by file permissions restriction system:
+ //
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+ permission java.util.PropertyPermission
+ "derby.__serverStartedFromCmdLine", "read, write";
+
+ // JMX: Uncomment this permission to allow the ping operation of the
+ // NetworkServerMBean to connect to the Network Server.
+ //
+ //permission java.net.SocketPermission "*", "connect,resolve";
+
+ // Needed by sysinfo. The file permission is needed to
+ // check the existence of jars on the classpath. You can
+ // limit this permission to just the locations which hold
+ // your jar files.
+ //
+ // In this template file, this block of permissions is granted
+ // to derbynet.jar under the assumption that derbynet.jar is
+ // the first jar file in your classpath which contains the
+ // sysinfo classes. If that is not the case, then you will want
+ // to grant this block of permissions to the first jar file
+ // in your classpath which contains the sysinfo classes.
+ // Those classes are bundled into the following <ph conref="../conrefs.dita#prod/productshortname"></ph>
+ // jar files:
+ //
+ // derbynet.jar
+ // derby.jar
+ // derbyclient.jar
+ // derbytools.jar
+ //
+ permission java.util.PropertyPermission "user.*", "read";
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.class.path", "read";
+ permission java.util.PropertyPermission "java.runtime.version", "read";
+ permission java.util.PropertyPermission "java.fullversion", "read";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.io.FilePermission "<<ALL FILES>>", "read";
+ permission java.io.FilePermission "java.runtime.version", "read";
+ permission java.io.FilePermission "java.fullversion", "read";
+};</codeblock>
+</section>
+</refbody>
+</reference>
Propchange: db/derby/docs/trunk/src/security/rsecnetservbasic.dita
------------------------------------------------------------------------------
svn:eol-style = native
Added: db/derby/docs/trunk/src/security/rsecpolicysample.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsecpolicysample.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsecpolicysample.dita (added)
+++ db/derby/docs/trunk/src/security/rsecpolicysample.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,184 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DITA Reference//EN"
+ "../dtd/reference.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<reference id="rsecpolicysample" xml:lang="en-us">
+<title>Sample customized Java security policy file</title>
+<shortdesc>Here is a sample customized Java security policy file.</shortdesc>
+<prolog><metadata>
+<keywords>
+<indexterm>Java security<indexterm>policy file sample</indexterm></indexterm>
+</keywords>
+</metadata></prolog>
+<refbody>
+<section>
+<codeblock>grant codeBase "file:///Users/me/javadb/lib/derby.jar"
+{
+ //
+ // These permissions are needed for everyday, embedded Derby usage.
+ //
+ permission java.lang.RuntimePermission "createClassLoader";
+ permission java.util.PropertyPermission "derby.*", "read";
+ permission java.util.PropertyPermission "user.dir", "read";
+ permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
+ "write";
+ // The next two properties are used to determine if the VM is 32-bit
+ // or 64-bit.
+ permission java.util.PropertyPermission "sun.arch.data.model", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.io.FilePermission "/Users/me/derby/dummy","read";
+ permission java.io.FilePermission "/Users/me/derby/dummy${/}-",
+ "read,write,delete";
+
+ //
+ // This permission lets a DBA reload the policy file while the server
+ // is still running. The policy file is reloaded by invoking the
+ // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
+ //
+ permission java.security.SecurityPermission "getPolicy";
+
+ //
+ // This permission lets you back up and restore databases
+ // to and from arbitrary locations in your file system.
+ //
+ // This permission also lets you import/export data to and from
+ // arbitrary locations in your file system.
+ //
+ // You may want to restrict this access to specific directories.
+ //
+ permission java.io.FilePermission "/Users/me/derby/dummy/backups/-",
+ "read,write,delete";
+ // imports/exports
+ permission java.io.FilePermission "/Users/me/derby/dummy/imports/-",
+ "read,write,delete";
+ // jar files of user-written functions and procedures
+ permission java.io.FilePermission "/Users/me/derby/dummy/jars/-",
+ "read,write,delete";
+
+ //
+ // Permissions needed for JMX based management and monitoring, which is
+ // available only for JVMs that support "platform management", that is,
+ // Java SE 5.0 or above.
+ //
+ // Allows this code to create an MBeanServer:
+ //
+ permission javax.management.MBeanServerPermission "createMBeanServer";
+ //
+ // Allows access to Derby's built-in MBeans, within the domain
+ // org.apache.derby. Derby must be allowed to register and unregister
+ // these MBeans. It is possible to allow access only to specific
+ // MBeans, // attributes, or operations. To fine-tune this
+ // permission, see the API documentation of
+ // javax.management.MBeanPermission or the JMX Instrumentation and
+ // Agent Specification.
+ //
+ permission javax.management.MBeanPermission
+ "org.apache.derby.*#[org.apache.derby:*]",
+ "registerMBean,unregisterMBean";
+ //
+ // Trusts Derby code to be a source of MBeans and to register these in
+ // the MBean server.
+ //
+ permission javax.management.MBeanTrustPermission "register";
+
+ // getProtectionDomain is an optional permission needed for printing
+ // classpath information to derby.log.
+ permission java.lang.RuntimePermission "getProtectionDomain";
+
+ //
+ // The following permission must be granted for
+ // Connection.abort(Executor) to work. Note that this permission must
+ // also be granted to outer (application) code domains.
+ //
+ permission java.sql.SQLPermission "callAbort";
+
+ // Needed by file permissions restriction system.
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+
+ // This permission is needed to connect to the LDAP server in order
+ // to authenticate users.
+ // permission java.net.SocketPermission "127.0.0.1:1389",
+ // "accept,connect,resolve";
+};
+
+grant codeBase "file:///Users/me/javadb/lib/derbynet.jar"
+{
+ //
+ // This permission lets the Network Server manage connections from
+ // clients.
+ //
+
+ // Accept connections from any host. Derby is listening to the host
+ // interface specified via the -h option to "NetworkServerControl
+ // start" on the command line, via the address parameter to the
+ // org.apache.derby.drda.NetworkServerControl constructor in the API
+ // or via the property derby.drda.host; the default is localhost.
+ // You may want to restrict allowed hosts, e.g. to hosts in a specific
+ // subdomain, e.g. "*.example.com".
+ permission java.net.SocketPermission "localhost:0-", "accept";
+
+ //
+ // Needed for server tracing.
+ //
+ permission java.io.FilePermission "/Users/me/derby/dummy/traces${/}-",
+ "read,write,delete";
+
+ // Needed by file permissions restriction system.
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+ permission java.util.PropertyPermission
+ "derby.__serverStartedFromCmdLine", "read, write";
+
+ //
+ // JMX: Uncomment this permission to allow the ping operation of the
+ // NetworkServerMBean to connect to the Network Server.
+ //permission java.net.SocketPermission "*", "connect,resolve";
+
+ //
+ // Needed by sysinfo. The file permission is needed to check the
+ // existence of jars on the classpath. You can limit this permission to
+ // just the locations that hold your jar files.
+ //
+ // In this template file, this block of permissions is granted to
+ // derbynet.jar under the assumption that derbynet.jar is the first jar
+ // file in your classpath that contains the sysinfo classes. If that is
+ // not the case, then you will want to grant this block of permissions
+ // to the first jar file in your classpath that contains the sysinfo
+ // classes. Those classes are bundled into the following Derby jar
+ // files:
+ //
+ // derbynet.jar
+ // derby.jar
+ // derbyclient.jar
+ // derbytools.jar
+ //
+ permission java.util.PropertyPermission "user.*", "read";
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.class.path", "read";
+ permission java.util.PropertyPermission "java.runtime.version", "read";
+ permission java.util.PropertyPermission "java.fullversion", "read";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.io.FilePermission "/Users/me/javadb/lib/-", "read";
+ permission java.io.FilePermission "java.runtime.version", "read";
+ permission java.io.FilePermission "java.fullversion", "read";
+};</codeblock>
+</section>
+</refbody>
+</reference>
Propchange: db/derby/docs/trunk/src/security/rsecpolicysample.dita
------------------------------------------------------------------------------
svn:eol-style = native
Added: db/derby/docs/trunk/src/security/rsectrademderby.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/rsectrademderby.dita?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/rsectrademderby.dita (added)
+++ db/derby/docs/trunk/src/security/rsectrademderby.dita Mon May 19 20:09:33 2014
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN"
+ "../dtd/topic.dtd">
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<topic id="rsectrademderby" xml:lang="en-us">
+<title>Trademarks</title>
+<body>
+<p>The following terms are trademarks or registered trademarks of other
+companies and have been used in at least one of the documents in the
+<ph conref="../conrefs.dita#prod/productlongname"></ph> documentation
+library:</p>
+<p>Cloudscape, DB2, DB2 Universal Database, DRDA, and IBM are trademarks of
+International Business Machines Corporation in the United States, other
+countries, or both.</p>
+<p>Microsoft, Windows, Windows NT, and the Windows logo are trademarks of
+Microsoft Corporation in the United States, other countries, or both. </p>
+<p>Oracle and Java are registered trademarks of Oracle and/or its affiliates.
+Other names may be trademarks of their respective owners.</p>
+<p>UNIX is a registered trademark of The Open Group in the United States and
+other countries.</p>
+<p>Other company, product, or service names may be trademarks or service marks
+of others.</p>
+</body>
+</topic>
Propchange: db/derby/docs/trunk/src/security/rsectrademderby.dita
------------------------------------------------------------------------------
svn:eol-style = native
Added: db/derby/docs/trunk/src/security/secderby.ditamap
URL: http://svn.apache.org/viewvc/db/derby/docs/trunk/src/security/secderby.ditamap?rev=1596037&view=auto
==============================================================================
--- db/derby/docs/trunk/src/security/secderby.ditamap (added)
+++ db/derby/docs/trunk/src/security/secderby.ditamap Mon May 19 20:09:33 2014
@@ -0,0 +1,153 @@
+<?xml version="1.0" encoding="utf-8"?>
+ <!DOCTYPE map PUBLIC "-//OASIS//DTD DITA Map//EN" "map.dtd">
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<map xml:lang="en-us" title="Derby Security Guide">
+<topicmeta>
+<copyright>
+<copyryear year="2004, @COPYRIGHT_YEAR@"/>
+<copyrholder>Apache Software Foundation</copyrholder>
+</copyright>
+<prodinfo>
+<prodname>Derby Security Guide</prodname>
+<vrmlist><vrm version="@RELEASE_ID_SHORT@"/></vrmlist>
+<brand>Apache Derby</brand></prodinfo>
+</topicmeta>
+<topicref href="rseccopyright.dita" navtitle="Copyright"/>
+<topicref href="rseclicense.dita" navtitle="License"/>
+<topicref href="csecpref29520.dita" navtitle="About this guide">
+<topicref href="csecpref11181.dita" navtitle="Purpose of this guide"/>
+<topicref href="csecpref24290.dita" navtitle="Audience"/>
+<topicref href="csecpref23947.dita" navtitle="How this guide is organized"/>
+</topicref>
+<topicref collection-type="family" href="csecintro.dita" navtitle="Part One: Introduction to database security">
+<topicref collection-type="family" href="csecintrowhy.dita" navtitle="Why databases need security">
+<topicref href="csecintrovuln.dita" navtitle="Vulnerabilities of unsecured databases"/>
+<topicref href="csecintrothreats.dita" navtitle="Threats to unsecured databases"/>
+</topicref>
+<topicref collection-type="family" href="csecintrodefenses.dita" navtitle="Defenses against security threats">
+<topicref href="csecintroderbydefenses.dita" navtitle="Derby defenses against threats"/>
+<topicref href="csecintrootherdefenses.dita" navtitle="Defenses outside of Derby"/>
+</topicref>
+<topicref href="csecintromapping.dita" navtitle="Defenses mapped to threats"/>
+<topicref href="csecintrosafer.dita" navtitle="Designing safer Derby applications"/>
+<topicref href="csecterms.dita" navtitle="Security terminology"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecuree.dita" navtitle="Part Two: Configuring security for Derby">
+<topicref collection-type="family" href="cseccsecure12392.dita" navtitle="Basic security configuration tasks">
+<topicref href="tseccsecure81850.dita" navtitle="Configuring security in an embedded environment"/>
+<topicref href="tseccsecure82556.dita" navtitle="Configuring security in a client/server environment">
+<topicref href="csecnetservsecurity.dita" navtitle="Network Server security"/>
+</topicref>
+</topicref>
+<topicref collection-type="family" href="cseccsecure24366.dita" navtitle="Configuring database encryption">
+<topicref href="cseccsecure96815.dita" navtitle="Requirements for Derby encryption"/>
+<topicref collection-type="family" href="cseccsecure97760.dita" navtitle="Working with encryption">
+<topicref href="cseccsecure88690.dita" navtitle="Encrypting databases on creation"/>
+<topicref href="tseccsecureunencrypteddb.dita" navtitle="Encrypting an existing unencrypted database"/>
+<topicref collection-type="family" href="cseccsecure866716.dita" navtitle="Creating a boot password">
+<topicref href="cseccsecure31493.dita" navtitle="Specifying an alternate encryption provider"/>
+<topicref href="cseccsecure67151.dita" navtitle="Specifying an alternate encryption algorithm"/>
+</topicref>
+<topicref collection-type="family" href="tseccsecurenewkeyoverview.dita" navtitle="Encrypting databases with a new key">
+<topicref href="tseccsecurenewbootpw.dita" navtitle="Encrypting databases with a new boot password"/>
+<topicref href="tseccsecurenewextkey.dita" navtitle="Encrypting databases with a new external key"/>
+</topicref>
+<topicref href="cseccsecure60146.dita" navtitle="Booting an encrypted database"/>
+<topicref href="cseccsecuredecryptdb.dita" navtitle="Decrypting an encrypted database"/>
+</topicref>
+</topicref>
+<topicref href="cseccsecure90988.dita" navtitle="Using signed jar files"/>
+<topicref collection-type="family" href="csecssl.dita" navtitle="Configuring SSL/TLS">
+<topicref href="tsecsslclientkeycert.dita" navtitle="Creating a client key pair and certificate"/>
+<topicref href="tsecsslserverkeycert.dita" navtitle="Creating a server key pair and certificate"/>
+<topicref href="tsecsslimportcerts.dita" navtitle="Importing certificates"/>
+<topicref href="csecsslbootconn.dita" navtitle="Booting the server and connecting to it"/>
+<topicref href="csecsslkeys.dita" navtitle="Key and certificate handling"/>
+<topicref href="csecsslserver.dita" navtitle="Starting the server with SSL/TLS"/>
+<topicref href="csecsslclient.dita" navtitle="Running the client with SSL/TLS"/>
+<topicref href="csecssladmin.dita" navtitle="Other server commands"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecureidentity.dita" navtitle="Understanding identity in Derby">
+<topicref collection-type="family" href="cseccsecure37241.dita" navtitle="Users and authorization identifiers">
+<topicref href="cseccsecure24458.dita" navtitle="Authorization identifiers, user authentication, and user authorization"/>
+<topicref href="cseccsecure865580.dita" navtitle="User names and schemas"/>
+<topicref href="rseccsecure622.dita" navtitle="Exceptions when using authorization identifiers"/>
+</topicref>
+<topicref href="cseccsecuredbowner.dita" navtitle="Database Owner"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecure42374.dita" navtitle="Configuring user authentication">
+<topicref collection-type="family" href="cseccsecure41285.dita" navtitle="Configuring LDAP authentication">
+<topicref href="csecldapbooting.dita" navtitle="Booting an LDAP server"/>
+<topicref href="cseccsecure863446.dita" navtitle="Setting up Derby to use your LDAP directory service"/>
+<topicref href="cseccsecure876908.dita" navtitle="Guest access to search for DNs"/>
+<topicref href="cseccsecure863546.dita" navtitle="LDAP performance issues"/>
+<topicref href="cseccsecure863676.dita" navtitle="LDAP restrictions"/>
+<topicref href="cseccsecure864242.dita" navtitle="JNDI-specific properties for external directory services"/>
+</topicref>
+<topicref collection-type="family" href="cseccsecurenativeauth.dita" navtitle="Configuring NATIVE authentication">
+<topicref href="csecnativeenable.dita" navtitle="Enabling NATIVE authentication explicitly"/>
+<topicref href="csecnativecreddb.dita" navtitle="Working with a credentials database"/>
+<topicref href="csecnativeotherprops.dita" navtitle="NATIVE authentication and other database properties"/>
+<topicref href="csecnativemanagecreds.dita" navtitle="Managing users and passwords"/>
+<topicref href="csecnativeconvert.dita" navtitle="Converting an existing database to use NATIVE authentication"/>
+</topicref>
+<topicref href="cseccsecure21561.dita" navtitle="Specifying authentication with a user-defined class">
+<topicref href="rsecexudclass.dita" navtitle="Example of setting a user-defined class"/>
+</topicref>
+<topicref href="rseccsecure557.dita" navtitle="List of user-authentication properties"/>
+<topicref href="cseccsecure79358.dita" navtitle="Programming applications for Derby user authentication"/>
+<topicref href="rseccsecure305.dita" navtitle="Login failure exceptions with user authentication"/>
+<topicref href="csecnetservauthent.dita" navtitle="Configuring Network Server authentication in special circumstances">
+<topicref href="csecappsclientsecurity.dita" navtitle="Configuring Network Client authentication without SSL/TLS"/>
+<topicref href="csecapps49914.dita" navtitle="Configuring Network Server authentication without SSL/TLS"/>
+</topicref>
+</topicref>
+<topicref collection-type="family" href="csecauthorization.dita" navtitle="Configuring user authorization">
+<topicref collection-type="family" href="csecauthorcoarse.dita" navtitle="Configuring coarse-grained user authorization">
+<topicref href="rseccsecure190.dita" navtitle="Read-only and full access permissions"/>
+<topicref href="cseccsecure865818.dita" navtitle="Setting the default connection access mode"/>
+<topicref href="rseccsecure379.dita" navtitle="User authorization exceptions"/>
+</topicref>
+<topicref collection-type="family" href="csecauthorfine.dita" navtitle="Configuring fine-grained user authorization">
+<topicref href="cseccsecuregrantrevokeaccess.dita" navtitle="Using SQL standard authorization"/>
+<topicref href="cseccsecureprivileges.dita" navtitle="Privileges on views, triggers, constraints, and generated columns"/>
+<topicref href="cseccsecureroles.dita" navtitle="Using SQL roles"/>
+<topicref href="cseccsecuresqlauthupgrade.dita" navtitle="Upgrading an old database to use SQL standard authorization"/>
+<topicref href="rseccsecuresqlauthexceptions.dita" navtitle="SQL standard authorization exceptions"/>
+<topicref href="rseccsecurenativeauthex.dita" navtitle="NATIVE authentication and SQL authorization example"/>
+</topicref>
+</topicref>
+<topicref collection-type="family" href="csecjavasecurity.dita" navtitle="Configuring Java security">
+<topicref href="rsecnetservbasic.dita" navtitle="Basic Java security policy file"/>
+<topicref href="rsecpolicysample.dita" navtitle="Sample customized Java security policy file"/>
+<topicref href="csecrunpolicy.dita" navtitle="Using a Java security policy file"/>
+<topicref href="csecembeddedperms.dita" navtitle="Running embedded Derby with a security manager"/>
+<topicref href="tsecnetservrun.dita" navtitle="Running the Network Server with a security manager"/>
+<topicref href="tsecnetservopen.dita" navtitle="Running the Network Server without a security manager"/>
+</topicref>
+<topicref href="csecnetservfileperms.dita" navtitle="Restricting file permissions"/>
+<topicref collection-type="family" href="csecputtogether.dita" navtitle="Putting it all together">
+<topicref href="csecputstart.dita" navtitle="Starting a secured Network Server"/>
+<topicref href="csecputrun.dita" navtitle="Creating and using a secure database"/>
+<topicref href="csecputstop.dita" navtitle="Stopping the secured Network Server"/>
+</topicref>
+</topicref>
+<topicref href="rsectrademderby.dita" navtitle="Trademarks"></topicref>
+</map>
Propchange: db/derby/docs/trunk/src/security/secderby.ditamap
------------------------------------------------------------------------------
svn:eol-style = native