You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-user@db.apache.org by Andrew Shuttlewood <an...@futureroute.co.uk> on 2005/04/11 11:07:21 UTC

Server questions

At the moment we are using Derby in a purely embedded way, and it's
working very well for us. We wish to begin to use it as a network server
as well as an embedded one, so I have a few questions which I can't
quite discern from the documentation.

Firstly, is it possible to authenticate server connections differently
from embedded connections? I wish embedded connections to have
substantially more rights than the network connections, and be able to
deny access to databases and restrict to read-only rights to the
network.

I am willing to modify the code if necessary, but obviously this creates
significant complexity if I do have to do it.

Secondly, we would like to ship the db2 jars for derby access along with
our (commercial) application. Is this permitted by the license agreement
- or do we have to seek a special license with IBM?

I am not against writing my own code or modifying derby as is necessary,
but equally, I would rather not as it creates a maintenance burden to
us.

Re: Server questions

Posted by Daniel John Debrunner <dj...@debrunners.com>.

Andrew Shuttlewood wrote:

> Firstly, is it possible to authenticate server connections differently
> from embedded connections? I wish embedded connections to have
> substantially more rights than the network connections, and be able to
> deny access to databases and restrict to read-only rights to the
> network.

Technically yes for authentication, Derby supports application defined
authentication by the application implementing a Java class
(org.apache.derby.authentication.UserAuthenticator) that implements a
Derby interface.

See

http://incubator.apache.org/derby/manuals/tuning/perf68.html#HDRSII-PROPER-13766

http://incubator.apache.org/derby/manuals/develop/develop92.html#Header_161

Also this presentation may be useful

http://incubator.apache.org/derby/binaries/djd_derby_security.pdf

A connection request from the network server will include the property
drdaID while an embedded connection will not. So you could have a Java
class that implemented UserAuthenticator, performed authentication and
based some of its decision making on the presence of the drdaID property.
[I think this is correct, you probably need to check that the drdaID
property is not present on an embedded request]

This is only for authentication, ie. can the connection request be made
to the database or not. For authorization, limiting what a authenticated
connection can do, you are maybe more limited. Derby supports limited
authorization at the moment, no access, read-only or read-write. You
could look at the scheme and see if it could handle what you need.

Dan.

Re: Server questions

Posted by Andrew Shuttlewood <an...@futureroute.co.uk>.

On Mon, 2005-04-11 at 11:09 -0700, Kathy Saunders wrote:
> Andrew Shuttlewood wrote:
> 
> >
> >Secondly, we would like to ship the db2 jars for derby access along with
> >our (commercial) application. Is this permitted by the license agreement
> >- or do we have to seek a special license with IBM?
> >
> >  
> >
> I'm assuming that you are talking about the DB2 Universal JDBC driver 
> which provides the JDBC client for the network server.  If so, there is 
> an IBM license included with the download from IBM that allows you to 
> redistribute the DB2 Universal JDBC Driver free of charge; it does cover 
> you for a commercial product.  Having said that, I'm not a laywer, so 
> you should review the license with your lawyer and make sure it meets 
> your needs.

Ahh, okay. The license agreement struck me as rather impenetrable
compared to most open source licenses - especially the bits where
elements of the license are changed depending on which country you are
in!

I will try and get it fed through to the people who deal with license
evaluation.

Re: Server questions

Posted by Kathy Saunders <ka...@mtrad.com>.

Andrew Shuttlewood wrote:

>
>Secondly, we would like to ship the db2 jars for derby access along with
>our (commercial) application. Is this permitted by the license agreement
>- or do we have to seek a special license with IBM?
>
>  
>
I'm assuming that you are talking about the DB2 Universal JDBC driver 
which provides the JDBC client for the network server.  If so, there is 
an IBM license included with the download from IBM that allows you to 
redistribute the DB2 Universal JDBC Driver free of charge; it does cover 
you for a commercial product.  Having said that, I'm not a laywer, so 
you should review the license with your lawyer and make sure it meets 
your needs.

Regards,
Kathy