You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by "Daniel John Debrunner (JIRA)" <ji...@apache.org> on 2007/05/31 18:19:15 UTC

[jira] Created: (DERBY-2736) Connecting with an invalid user identifier performs authentication before rejecting the connection.

Connecting with an invalid user identifier performs authentication before rejecting the connection.
---------------------------------------------------------------------------------------------------

                 Key: DERBY-2736
                 URL: https://issues.apache.org/jira/browse/DERBY-2736
             Project: Derby
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.2.2.0, 10.2.1.6, 10.1.3.1, 10.1.2.1, 10.1.1.0, 10.0.2.1, 10.0.2.0, 10.3.0.0
            Reporter: Daniel John Debrunner
            Priority: Minor


Ideally no authentication attempt should be made because the user identifier is invalid.
E.g. with this URL

jdbc:derby:db1;user=123

the connection attempt will correctly fail but only after the authentication mechanism is called.

If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
I believe that the connection request should fail before calling any authentication, developers should only be required
to handle valid identifiers.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (DERBY-2736) Connecting with an invalid user identifier performs authentication before rejecting the connection.

Posted by "Rick Hillegas (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/DERBY-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rick Hillegas updated DERBY-2736:
---------------------------------

    Issue & fix info: [Newcomer, Repro attached]
             Urgency: Normal

Triaged for 10.5.2: assigned normal urgency, noted that repro is available, recommended to newcomers.

> Connecting with an invalid user identifier performs authentication before rejecting the connection.
> ---------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2736
>                 URL: https://issues.apache.org/jira/browse/DERBY-2736
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4
>            Reporter: Daniel John Debrunner
>            Priority: Minor
>
> Ideally no authentication attempt should be made because the user identifier is invalid.
> E.g. with this URL
> jdbc:derby:db1;user=123
> the connection attempt will correctly fail but only after the authentication mechanism is called.
> If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
> I believe that the connection request should fail before calling any authentication, developers should only be required
> to handle valid identifiers.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (DERBY-2736) Connecting with an invalid user identifier performs authentication before rejecting the connection.

Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/DERBY-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dag H. Wanvik updated DERBY-2736:
---------------------------------

    Component/s: Services

> Connecting with an invalid user identifier performs authentication before rejecting the connection.
> ---------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-2736
>                 URL: https://issues.apache.org/jira/browse/DERBY-2736
>             Project: Derby
>          Issue Type: Bug
>          Components: Services
>    Affects Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4
>            Reporter: Daniel John Debrunner
>            Priority: Minor
>
> Ideally no authentication attempt should be made because the user identifier is invalid.
> E.g. with this URL
> jdbc:derby:db1;user=123
> the connection attempt will correctly fail but only after the authentication mechanism is called.
> If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
> I believe that the connection request should fail before calling any authentication, developers should only be required
> to handle valid identifiers.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.