You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geronimo.apache.org by de...@geronimo.apache.org on 2004/10/01 10:21:32 UTC

[jira] Created: (GERONIMO-342) Expose embedded Derby to network clients

Message:

  A new issue has been created in JIRA.

---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/GERONIMO-342

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: GERONIMO-342
    Summary: Expose embedded Derby to network clients
       Type: New Feature

     Status: Unassigned
   Priority: Major

    Project: Apache Geronimo

   Assignee: 
   Reporter: Jeremy Boynes

    Created: Fri, 1 Oct 2004 1:20 AM
    Updated: Fri, 1 Oct 2004 1:20 AM

Description:
Derby provides a network server that allows access from external clients as well as in-VM usage. We should integrate this as a GBean with exposed management attributes for network and port address. Some form of security might be in order too :)


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Closed: (GERONIMO-342) Expose embedded Derby to network clients

Posted by "Dain Sundstrom (JIRA)" <de...@geronimo.apache.org>.

     [ http://issues.apache.org/jira/browse/GERONIMO-342?page=all ]
     
Dain Sundstrom closed GERONIMO-342:
-----------------------------------


> Expose embedded Derby to network clients
> ----------------------------------------
>
>          Key: GERONIMO-342
>          URL: http://issues.apache.org/jira/browse/GERONIMO-342
>      Project: Geronimo
>         Type: New Feature
>     Reporter: Jeremy Boynes
>     Assignee: Jeremy Boynes

>
> Derby provides a network server that allows access from external clients as well as in-VM usage. We should integrate this as a GBean with exposed management attributes for network and port address. Some form of security might be in order too :)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Resolved: (GERONIMO-342) Expose embedded Derby to network clients

Posted by de...@geronimo.apache.org.

Message:

   The following issue has been resolved as INCOMPLETE.

   Resolver: Jeremy Boynes
       Date: Fri, 1 Oct 2004 1:00 PM

Basic support added with host and port exposed.
Didn't do anything with security.
---------------------------------------------------------------------
View the issue:
  http://issues.apache.org/jira/browse/GERONIMO-342

Here is an overview of the issue:
---------------------------------------------------------------------
        Key: GERONIMO-342
    Summary: Expose embedded Derby to network clients
       Type: New Feature

     Status: Resolved
   Priority: Major
 Resolution: INCOMPLETE

    Project: Apache Geronimo

   Assignee: Jeremy Boynes
   Reporter: Jeremy Boynes

    Created: Fri, 1 Oct 2004 1:20 AM
    Updated: Fri, 1 Oct 2004 1:00 PM

Description:
Derby provides a network server that allows access from external clients as well as in-VM usage. We should integrate this as a GBean with exposed management attributes for network and port address. Some form of security might be in order too :)


---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.

If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa

If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Commented: (GERONIMO-342) Expose embedded Derby to network clients

Posted by "John Sisson (JIRA)" <de...@geronimo.apache.org>.

    [ http://issues.apache.org/jira/browse/GERONIMO-342?page=comments#action_12314116 ] 

John Sisson commented on GERONIMO-342:
--------------------------------------

Including mail conversation from Jan 2005 in relation to security issues.

Jeremy Boynes <jb...@apache.org> wrote on 31/01/2005 10:33:58 AM:

> sissonj@insession.com wrote:
> > Derby's DRDA (Distributed Relational Database Architecture) Network Server 
> > by default only listens for connections on the loopback address (which 
> > a good default) and does not have authentication turned on.
> > Therefore on a multiuser O/S this level of security seems inadequate 
> > any user on the localhost could connect to it using the DB2 Universal 
> > Connector (specifying any userid and password as it will be ignored by the 
> > server) and start creating databases/tables etc. 
> > 
> 
> Hmm - I thought that a username and password had to be supplied for a network connection.

Yes, the IBM JCC driver forces you to specify a userid and password, but 
the username and password is only validated on the server if 
authentication is turned on.  By default authentication is turned off. 
Also the username is used as the current schema for the connection.   See:

        http://incubator.apache.org/derby/manuals/develop/develop97.html

Also for authorization, by default users are given read/write access 
(fullAccess) :

    http://incubator.apache.org/derby/manuals/develop/develop109.html

John

> 
> > Q1. Are there any plans on how a default Geronimo configuration would 
> > secure the embedded Derby Network Server?
> > 
> 
> At the moment we are relying on Derby database security. Ultimately I 
> hope to integrate that into the JACC authentication providers used by 
> the rest of the container, and have a dream at some point of integrating 

> Derby's authorization with the JACC policy provider.
> 
> > Q2. What would be the best way to restrict the remote IP addresses that 
> > Derby will accept connections from (e.g. particular IP addresses)? Should 
> > a policy file be used and passed to the JVM when starting Geronimo (see 
> > http://incubator.apache.org/derby/manuals/admin/hubprnt30.html ) or is 

> > there a better way for Geronimo?
> 
> I haven't looked at that.
> 
> > Q3. Should we have some simple authentication enabled by shipping a 
sample 
> > 
> > geronimo\var\derby\derby.properties file that has something like the 
> > following?
> > 
> > #
> > #Security settings
> > #
> > derby.connection.requireAuthentication=true
> > derby.authentication.provider=BUILTIN
> > #
> > # User and password list for Derby BUILTIN authentication provider
> > #
> > derby.user.system=manager
> > derby.user.myapp=myapppswd
> > 
> 
> I would prefer not to and at least integrate with the user/password 
> realm we use for securing JMX remoting - that would mean in the default 
> case the usernames/passwords would be the same. Of course, an admin 
> could also set up a separate realm for the database.
> 
> --
> Jeremy
> 

> Expose embedded Derby to network clients
> ----------------------------------------
>
>          Key: GERONIMO-342
>          URL: http://issues.apache.org/jira/browse/GERONIMO-342
>      Project: Geronimo
>         Type: New Feature
>     Reporter: Jeremy Boynes
>     Assignee: Jeremy Boynes

>
> Derby provides a network server that allows access from external clients as well as in-VM usage. We should integrate this as a GBean with exposed management attributes for network and port address. Some form of security might be in order too :)

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira