You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ka...@apache.org on 2010/03/25 13:31:56 UTC
svn commit: r927368 - in /db/derby/code/trunk/java:
engine/org/apache/derby/iapi/reference/
engine/org/apache/derby/impl/sql/catalog/
testing/org/apache/derbyTesting/functionTests/tests/derbynet/
testing/org/apache/derbyTesting/functionTests/tests/jdbc...
Author: kahatlen
Date: Thu Mar 25 12:31:56 2010
New Revision: 927368
URL: http://svn.apache.org/viewvc?rev=927368&view=rev
Log:
DERBY-4483: Provide a way to change the hash algorithm used by BUILTIN authentication
Make fresh databases use the new authentication scheme with SHA-256 by default.
Modified:
db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java
db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NSSecurityMechanismTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/upgradeTests/Changes10_6.java
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java?rev=927368&r1=927367&r2=927368&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/reference/Property.java Thu Mar 25 12:31:56 2010
@@ -718,6 +718,13 @@ public interface Property {
public static final String AUTHENTICATION_BUILTIN_ALGORITHM =
"derby.authentication.builtin.algorithm";
+ /**
+ * Default value for derby.authentication.builtin.algorithm when creating
+ * a new database.
+ */
+ public static final String AUTHENTICATION_BUILTIN_ALGORITHM_DEFAULT =
+ "SHA-256";
+
/*
** Log
*/
Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java?rev=927368&r1=927367&r2=927368&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/sql/catalog/DataDictionaryImpl.java Thu Mar 25 12:31:56 2010
@@ -761,6 +761,13 @@ public final class DataDictionaryImpl
bootingTC.setProperty(Property.SQL_AUTHORIZATION_PROPERTY,"true",true);
usesSqlAuthorization=true;
}
+
+ // Set default hash algorithm used to protect passwords stored
+ // in the database for BUILTIN authentication.
+ bootingTC.setProperty(
+ Property.AUTHENTICATION_BUILTIN_ALGORITHM,
+ Property.AUTHENTICATION_BUILTIN_ALGORITHM_DEFAULT,
+ false);
} else {
// Get the ids for non-core tables
loadDictionaryTables(bootingTC, ddg, startParams);
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NSSecurityMechanismTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NSSecurityMechanismTest.java?rev=927368&r1=927367&r2=927368&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NSSecurityMechanismTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NSSecurityMechanismTest.java Thu Mar 25 12:31:56 2010
@@ -1106,7 +1106,9 @@ public class NSSecurityMechanismTest ext
*
* We want to test a combination of USRSSBPWD with BUILTIN as password
* substitute is only supported with NONE or BUILTIN Derby authentication
- * scheme right now (DERBY-528).
+ * scheme right now (DERBY-528). Also, it doesn't work if passwords are
+ * hashed with the configurable hash authentication scheme (DERBY-4483)
+ * before they are stored in the database, so we'll need to disable that.
*
* @throws Exception if there an unexpected error
*/
@@ -1122,6 +1124,12 @@ public class NSSecurityMechanismTest ext
CallableStatement cs = conn.prepareCall(
"CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(?, ?)");
+ // First, disable the configurable hash authentication scheme so that
+ // passwords are stored using the old hash algorithm.
+ cs.setString(1, "derby.authentication.builtin.algorithm");
+ cs.setString(2, null);
+ cs.execute();
+
cs.setString(1, "derby.user.neelima");
cs.setString(2, "lee");
cs.execute();
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java?rev=927368&r1=927367&r2=927368&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java Thu Mar 25 12:31:56 2010
@@ -116,6 +116,9 @@ public class AuthenticationTest extends
test = new AuthenticationTest("testSystemShutdown");
setBaseProps(suite, test);
+ test = new AuthenticationTest("testDefaultHashAlgorithm");
+ setBaseProps(suite, test);
+
// The test cases below test the configurable hash authentication
// mechanism added in DERBY-4483. Set the property that specifies the
// hash algorithm to some valid value for these tests. Not all tests
@@ -1098,6 +1101,15 @@ public class AuthenticationTest extends
}
/**
+ * DERBY-4483: Test that the database by default has the configurable
+ * hash authentication scheme enabled.
+ */
+ public void testDefaultHashAlgorithm() throws SQLException {
+ // SHA-256 should be the default hash algorithm now
+ assertEquals("SHA-256", getDatabaseProperty(BUILTIN_ALGO_PROP));
+ }
+
+ /**
* DERBY-4483: Test that setting the property
* {@code derby.authentication.builtin.algorithm} changes which hash
* algorithm is used to protect the stored password token.
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/upgradeTests/Changes10_6.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/upgradeTests/Changes10_6.java?rev=927368&r1=927367&r2=927368&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/upgradeTests/Changes10_6.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/upgradeTests/Changes10_6.java Thu Mar 25 12:31:56 2010
@@ -70,7 +70,10 @@ public class Changes10_6 extends Upgrade
private static final String CREATE_TYPE_DDL = "create type fooType external name 'mypackage.foo' language java\n";
private static final String DROP_TYPE_DDL = "drop type fooType restrict\n";
-
+
+ private static final String HASH_ALGORITHM_PROPERTY =
+ "derby.authentication.builtin.algorithm";
+
public Changes10_6(String name) {
super(name);
}
@@ -321,6 +324,18 @@ public class Changes10_6 extends Upgrade
}
/**
+ * Verify that we don't enable the configurable hash authentication
+ * scheme when we upgrade a database. See DERBY-4483.
+ */
+ public void testBuiltinAuthenticationHashNotChangedOnUpgrade()
+ throws SQLException {
+ // We enable the configurable hash authentication scheme by setting
+ // a property, so check that it's NULL in all phases to verify that
+ // it's not enabled on upgrade.
+ assertNull(getDatabaseProperty(HASH_ALGORITHM_PROPERTY));
+ }
+
+ /**
* Make sure builtin authentication only uses the new configurable hash
* scheme in hard-upgraded databases. See DERBY-4483.
*/
@@ -418,7 +433,7 @@ public class Changes10_6 extends Upgrade
for (int i = 0; i < USERS.length; i++) {
// Use the specified algorithm, if possible. (Will be ignored if
// the data dictionary doesn't support the new scheme.)
- cs.setString(1, "derby.authentication.builtin.algorithm");
+ cs.setString(1, HASH_ALGORITHM_PROPERTY);
cs.setString(2, USERS[i][2]);
cs.execute();
// Set the password.