You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-user@db.apache.org by Rick Hillegas <Ri...@Sun.COM> on 2007/06/04 23:13:08 UTC

security-related incompatibility to be introduced by Derby 10.3

The upcoming release of Derby 10.3 will make networked configurations 
safer by installing a Java security manager if the user forgets to 
install one. This will happen only if the user boots the network server 
without installing a security manager. As a result, it will be harder 
for hackers to corrupt multi-user applications and shared machines. A 
new command line option will turn off this default behavior. If the 
disabling command line option is specified, then the network server will 
boot without installing a security manager just as it does today in 
release 10.2.

This added security introduces some incompatibilities between 10.3 and 
the previous 10.2 release:

1) Application startup may run a little slower as Derby performs initial 
access checks on referenced tables.

2) SecurityExceptions may occur if user-written functions and procedures 
perform sensitive operations such as file i/o and system property 
manipulation.

For more information on this security enhancement, please see the 
release note attached to http://issues.apache.org/jira/browse/DERBY-2757

Please speak up if you think that these incompatibilities will be 
intolerable.

Thanks,
-Rick