You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Daniel John Debrunner (JIRA)" <ji...@apache.org> on 2007/05/31 18:19:15 UTC
[jira] Created: (DERBY-2736) Connecting with an invalid user
identifier performs authentication before rejecting the connection.
Connecting with an invalid user identifier performs authentication before rejecting the connection.
---------------------------------------------------------------------------------------------------
Key: DERBY-2736
URL: https://issues.apache.org/jira/browse/DERBY-2736
Project: Derby
Issue Type: Bug
Components: Security
Affects Versions: 10.2.2.0, 10.2.1.6, 10.1.3.1, 10.1.2.1, 10.1.1.0, 10.0.2.1, 10.0.2.0, 10.3.0.0
Reporter: Daniel John Debrunner
Priority: Minor
Ideally no authentication attempt should be made because the user identifier is invalid.
E.g. with this URL
jdbc:derby:db1;user=123
the connection attempt will correctly fail but only after the authentication mechanism is called.
If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
I believe that the connection request should fail before calling any authentication, developers should only be required
to handle valid identifiers.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2736) Connecting with an invalid user
identifier performs authentication before rejecting the connection.
Posted by "Rick Hillegas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Hillegas updated DERBY-2736:
---------------------------------
Issue & fix info: [Newcomer, Repro attached]
Urgency: Normal
Triaged for 10.5.2: assigned normal urgency, noted that repro is available, recommended to newcomers.
> Connecting with an invalid user identifier performs authentication before rejecting the connection.
> ---------------------------------------------------------------------------------------------------
>
> Key: DERBY-2736
> URL: https://issues.apache.org/jira/browse/DERBY-2736
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4
> Reporter: Daniel John Debrunner
> Priority: Minor
>
> Ideally no authentication attempt should be made because the user identifier is invalid.
> E.g. with this URL
> jdbc:derby:db1;user=123
> the connection attempt will correctly fail but only after the authentication mechanism is called.
> If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
> I believe that the connection request should fail before calling any authentication, developers should only be required
> to handle valid identifiers.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (DERBY-2736) Connecting with an invalid user
identifier performs authentication before rejecting the connection.
Posted by "Dag H. Wanvik (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/DERBY-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dag H. Wanvik updated DERBY-2736:
---------------------------------
Component/s: Services
> Connecting with an invalid user identifier performs authentication before rejecting the connection.
> ---------------------------------------------------------------------------------------------------
>
> Key: DERBY-2736
> URL: https://issues.apache.org/jira/browse/DERBY-2736
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4
> Reporter: Daniel John Debrunner
> Priority: Minor
>
> Ideally no authentication attempt should be made because the user identifier is invalid.
> E.g. with this URL
> jdbc:derby:db1;user=123
> the connection attempt will correctly fail but only after the authentication mechanism is called.
> If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
> I believe that the connection request should fail before calling any authentication, developers should only be required
> to handle valid identifiers.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.