You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Knut Anders Hatlen (JIRA)" <ji...@apache.org> on 2008/05/22 11:23:56 UTC
[jira] Commented: (DERBY-3681) When authenticating a user at
connect time, verify that the user provided is not also a defined role
name.
[ https://issues.apache.org/jira/browse/DERBY-3681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598953#action_12598953 ]
Knut Anders Hatlen commented on DERBY-3681:
-------------------------------------------
Hi Dag,
The code in EmbedConnection looks good. One minor nit: @code{lcc} in the javadoc should have been {@code lcc}, I think. And, by the way, would it make sense to hide the version check in a helper method, for instance dd.supportsRoles()? I don't know how we usually check the dictionary version.
I'm not sure that the change in DriverManagerConnector is correct. Using the default user ensures that the DBO is the same regardless of whether the database was created in that test or not. Not sure if this matters to any of the tests, though, I just wanted to raise the issue.
In RolesTest, I think this code should be simplified:
+ Connection cn = null;
+ try {
+ // should work, not defined as a role yet
+ cn = openDefaultConnection("soonarole","whatever");
+ } finally {
+ try {
+ if (cn != null) {
+ cn.close();
+ }
+ } catch (SQLException e) {
+ }
+ }
As it is now, if openDefaultConnection() incorrectly returns null, it is silently ignored. Also, exceptions from cn.close() are swallowed. Couldn't it be replaced with this one-liner:
openDefaultConnection("soonarole", "whatever").close();
It's simpler, and it would fail on null values and SQLExceptions. (For readability, I would perhaps also have removed the finally clause in the try/finally near the end of testLoginWithUsernameWhichIsARole() too, but there it wouldn't have any effect on what is tested.)
> When authenticating a user at connect time, verify that the user provided is not also a defined role name.
> ----------------------------------------------------------------------------------------------------------
>
> Key: DERBY-3681
> URL: https://issues.apache.org/jira/browse/DERBY-3681
> Project: Derby
> Issue Type: Sub-task
> Components: Security
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Fix For: 10.5.0.0
>
> Attachments: derby-3681-1.diff, derby-3681-1.stat
>
>
> Although we try to avoid creating role that are not also valid Derby users (see DERBY-3673), we cannot
> in general know for sure that no such user exists; it could be added to derby.properties after
> the role has been created, authentication could be LDAP or user-defined, in which cases
> the check at role creation time will not work. So, in order to avoid collisions between user identifiers and role identifiers, we shoudl check at connect time that there is no role by same name as the supplied user name.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.