You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Chinmay Bajikar (JIRA)" <de...@db.apache.org> on 2006/08/17 10:01:13 UTC
[jira] Created: (DERBY-1711) In an embedded env, connection happens
properly even when the password supplied is wrong.
In an embedded env, connection happens properly even when the password supplied is wrong.
-----------------------------------------------------------------------------------------
Key: DERBY-1711
URL: http://issues.apache.org/jira/browse/DERBY-1711
Project: Derby
Issue Type: Bug
Components: JDBC
Affects Versions: 10.1.3.1
Environment: Win XP,Java 1.4.x
Reporter: Chinmay Bajikar
Attachments: derby.zip
Hi,
I am a new user of Derby.
Have tried to set user authorization at the database level using the example given in the Derby Dev Guide.(Page 85).
The steps that I do are as follows,
1)Create a db (using create=true attribute in the connection url)
2) Connect to the db and set the appropriate properties i.e. set requireAuthentication to true,provider to builtin, add a new user,passwrd and give it full access.
3) Set the default access level to noAccess.
4) Close this connection.
5) Now make a new connection using the user name/passwd.It connects fine.
6) Now try to make a new connection using a wrong user name and it gives a Connection Refused exception.
7) Finally try giving a right username and wrong passwd and the connection still happens.
Have attached the source file which does all these above steps for reproducing the issue.
Thanks,
Chinmay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (DERBY-1711) In an embedded env, connection
happens properly even when the password supplied is wrong.
Posted by "Chinmay Bajikar (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1711?page=comments#action_12432370 ]
Chinmay Bajikar commented on DERBY-1711:
----------------------------------------
Hi Francois,
Thnks for your observations...But I have tried doing wht you have suggested. It doesnt seem to work even then.
If you have a look at the example, you shall see that, the connection is disallowed if the user-name is wrong.
But its allowed if the user-name is correct and the password is wrong.
If you can, please try out the example.
Thanks,
Chinmay.
> In an embedded env, connection happens properly even when the password supplied is wrong.
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-1711
> URL: http://issues.apache.org/jira/browse/DERBY-1711
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.1.3.1
> Environment: Win XP,Java 1.4.x
> Reporter: Chinmay Bajikar
> Attachments: derby.zip
>
>
> Hi,
> I am a new user of Derby.
> Have tried to set user authorization at the database level using the example given in the Derby Dev Guide.(Page 85).
> The steps that I do are as follows,
> 1)Create a db (using create=true attribute in the connection url)
> 2) Connect to the db and set the appropriate properties i.e. set requireAuthentication to true,provider to builtin, add a new user,passwrd and give it full access.
> 3) Set the default access level to noAccess.
> 4) Close this connection.
> 5) Now make a new connection using the user name/passwd.It connects fine.
> 6) Now try to make a new connection using a wrong user name and it gives a Connection Refused exception.
> 7) Finally try giving a right username and wrong passwd and the connection still happens.
> Have attached the source file which does all these above steps for reproducing the issue.
> Thanks,
> Chinmay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (DERBY-1711) In an embedded env, connection happens
properly even when the password supplied is wrong.
Posted by "Rajesh Kartha (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1711?page=all ]
Rajesh Kartha updated DERBY-1711:
---------------------------------
Attachment: 1171.sql
As Francois already mentioned, the 'derby.connection.requireAuthentication'' is a static property and the db needs to be rebooted to take effect.
Based on the java repro attached before I have written a sql script that mimcs the same steps, but have added a shutdown=true for the database in between for the property to take effect. The authentication then works as expected.
Hope this helps. Please do post to the list should you have any further questions.
-Rajesh
Here is the output and the sql file is attached.
ij version 10.2
ij> connect 'jdbc:derby:FSIDB;create=true';
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.connection.requireAuthentication','true');
0 rows inserted/updated/deleted
ij> VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.connection.requireAuthentication');
1
--------------------------------------------------------------------------------------------------------------------------------
true
1 row selected
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.authentication.provider', 'BUILTIN');
0 rows inserted/updated/deleted
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.user.sa', 'admin123');
0 rows inserted/updated/deleted
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.defaultConnectionMode','noAccess');
0 rows inserted/updated/deleted
ij> VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.database.defaultConnectionMode');
1
--------------------------------------------------------------------------------------------------------------------------------
noAccess
1 row selected
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.fullAccessUsers', 'sa');
0 rows inserted/updated/deleted
ij> VALUES SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.database.fullAccessUsers');
1
--------------------------------------------------------------------------------------------------------------------------------
sa
1 row selected
ij> CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY('derby.database.propertiesOnly', 'false');
0 rows inserted/updated/deleted
ij> disconnect;
ij> --
--
--Shutdown the database for validation to take effect
--
--
connect 'jdbc:derby:FSIDB;shutdown=true;user=sa;password=admin123';
ERROR 08006: Database 'FSIDB' shutdown.
ij> --
--
--Wrong password for the VALID user 'sa' - FAIL
--
--
connect 'jdbc:derby:FSIDB;user=sa;password=wrongpwd';
ERROR 08004: Connection refused : Invalid authentication.
ij> --
--
--Try with valid user and password - SUCCESS
--
--
connect 'jdbc:derby:FSIDB;user=sa;password=admin123';
ij> disconnect;
ij> --
--
-- INVALID user - FAIL
--
--
connect 'jdbc:derby:FSIDB;user=sa1;password=admin123';
ERROR 08004: Connection refused : Invalid authentication.
ij> --
--
--Wrong password for the VALID user 'sa' - FAIL
--
--
connect 'jdbc:derby:FSIDB;create=true;user=sa;password=wrongpwd';
ERROR 08004: Connection refused : Invalid authentication.
ij
> In an embedded env, connection happens properly even when the password supplied is wrong.
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-1711
> URL: http://issues.apache.org/jira/browse/DERBY-1711
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.1.3.1
> Environment: Win XP,Java 1.4.x
> Reporter: Chinmay Bajikar
> Attachments: 1171.sql, derby.zip
>
>
> Hi,
> I am a new user of Derby.
> Have tried to set user authorization at the database level using the example given in the Derby Dev Guide.(Page 85).
> The steps that I do are as follows,
> 1)Create a db (using create=true attribute in the connection url)
> 2) Connect to the db and set the appropriate properties i.e. set requireAuthentication to true,provider to builtin, add a new user,passwrd and give it full access.
> 3) Set the default access level to noAccess.
> 4) Close this connection.
> 5) Now make a new connection using the user name/passwd.It connects fine.
> 6) Now try to make a new connection using a wrong user name and it gives a Connection Refused exception.
> 7) Finally try giving a right username and wrong passwd and the connection still happens.
> Have attached the source file which does all these above steps for reproducing the issue.
> Thanks,
> Chinmay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (DERBY-1711) In an embedded env, connection
happens properly even when the password supplied is wrong.
Posted by "Chinmay Bajikar (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1711?page=comments#action_12432724 ]
Chinmay Bajikar commented on DERBY-1711:
----------------------------------------
Hi Rajesh,
Thanks to you and Francois...
I didnt get that part about the db shutdown which francois mentioned.
Thanks to your script which cleared everything off.
Closing this issue.
Thanks again,
Chinmay....
> In an embedded env, connection happens properly even when the password supplied is wrong.
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-1711
> URL: http://issues.apache.org/jira/browse/DERBY-1711
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.1.3.1
> Environment: Win XP,Java 1.4.x
> Reporter: Chinmay Bajikar
> Attachments: 1171.sql, derby.zip
>
>
> Hi,
> I am a new user of Derby.
> Have tried to set user authorization at the database level using the example given in the Derby Dev Guide.(Page 85).
> The steps that I do are as follows,
> 1)Create a db (using create=true attribute in the connection url)
> 2) Connect to the db and set the appropriate properties i.e. set requireAuthentication to true,provider to builtin, add a new user,passwrd and give it full access.
> 3) Set the default access level to noAccess.
> 4) Close this connection.
> 5) Now make a new connection using the user name/passwd.It connects fine.
> 6) Now try to make a new connection using a wrong user name and it gives a Connection Refused exception.
> 7) Finally try giving a right username and wrong passwd and the connection still happens.
> Have attached the source file which does all these above steps for reproducing the issue.
> Thanks,
> Chinmay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (DERBY-1711) In an embedded env, connection
happens properly even when the password supplied is wrong.
Posted by "Francois Orsini (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1711?page=comments#action_12429746 ]
Francois Orsini commented on DERBY-1711:
----------------------------------------
Hi Chinmay,
This is not a bug - The 'derby.connection.requireAuthentication' derby property is a static one - Once it is set to true to turn on authentication, the database or derby instance needs to be re-booted - So, if you set this property to true at the database level, just shutdown the database and re-open a connection to that database for the property to be taken into account during the following database boot...
However, the example in the guide does NOT do some proper testing in my opinion - it basically checks if the properties have been set but it does NOT intrinsically check if authentication has really been turned by doing more negative testing...The example also does NOT shutdown and restart the database for the derby static properties to be taken into acount. This bug should be converted into a documentation one - I also believe that we need to highlight more the fact that the 'derby.connection.requireAuthentication' property is a static one...
Hope this helps - in the meantime...
> In an embedded env, connection happens properly even when the password supplied is wrong.
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-1711
> URL: http://issues.apache.org/jira/browse/DERBY-1711
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.1.3.1
> Environment: Win XP,Java 1.4.x
> Reporter: Chinmay Bajikar
> Attachments: derby.zip
>
>
> Hi,
> I am a new user of Derby.
> Have tried to set user authorization at the database level using the example given in the Derby Dev Guide.(Page 85).
> The steps that I do are as follows,
> 1)Create a db (using create=true attribute in the connection url)
> 2) Connect to the db and set the appropriate properties i.e. set requireAuthentication to true,provider to builtin, add a new user,passwrd and give it full access.
> 3) Set the default access level to noAccess.
> 4) Close this connection.
> 5) Now make a new connection using the user name/passwd.It connects fine.
> 6) Now try to make a new connection using a wrong user name and it gives a Connection Refused exception.
> 7) Finally try giving a right username and wrong passwd and the connection still happens.
> Have attached the source file which does all these above steps for reproducing the issue.
> Thanks,
> Chinmay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (DERBY-1711) In an embedded env, connection happens
properly even when the password supplied is wrong.
Posted by "Francois Orsini (JIRA)" <de...@db.apache.org>.
[ http://issues.apache.org/jira/browse/DERBY-1711?page=all ]
Francois Orsini closed DERBY-1711.
----------------------------------
Resolution: Invalid
Closing as this is not a bug. Thanks Rajesh for producing the sample script.
I have create DERBY-1823 for the documentation issue, in respect with shutting down and rebooting the database in the provided extended samples where 'derby.connection.requireAuthentication' is being (re)set.
> In an embedded env, connection happens properly even when the password supplied is wrong.
> -----------------------------------------------------------------------------------------
>
> Key: DERBY-1711
> URL: http://issues.apache.org/jira/browse/DERBY-1711
> Project: Derby
> Issue Type: Bug
> Components: JDBC
> Affects Versions: 10.1.3.1
> Environment: Win XP,Java 1.4.x
> Reporter: Chinmay Bajikar
> Attachments: 1171.sql, derby.zip
>
>
> Hi,
> I am a new user of Derby.
> Have tried to set user authorization at the database level using the example given in the Derby Dev Guide.(Page 85).
> The steps that I do are as follows,
> 1)Create a db (using create=true attribute in the connection url)
> 2) Connect to the db and set the appropriate properties i.e. set requireAuthentication to true,provider to builtin, add a new user,passwrd and give it full access.
> 3) Set the default access level to noAccess.
> 4) Close this connection.
> 5) Now make a new connection using the user name/passwd.It connects fine.
> 6) Now try to make a new connection using a wrong user name and it gives a Connection Refused exception.
> 7) Finally try giving a right username and wrong passwd and the connection still happens.
> Have attached the source file which does all these above steps for reproducing the issue.
> Thanks,
> Chinmay.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira