[ http://issues.apache.org/jira/browse/DERBY-528?page=comments#action_12426718 ] Sunitha Kambhampati commented on DERBY-528: -------------------------------------------
I looked at the v4 patch. Thanks Francois for taking care of all my comments and for taking the effort to clean up the spurious diffs. The patch applies cleanly. If you or Rick can take care of #1, I vote +1 for commit of the v4 patch. The other comments are very minor and can be taken care of as a separate followon patch. 1)There are actually no real changes in dataSourcePermissions_net.java and this file should not be committed. 2)testSecMec.java First, thanks for the addition of the new testcase. --In the testUSRSSBPWD_with_BUILTIN(), the case here "USRSSBPWD + BUILTIN (T0)" seems to suggest that builtin authentication is used, but at this point the builtin authentication wont happen as you also mention in the comment. It would be good to update it. + // Shutdown 'wombat' database for BUILTIN + // authentication to take effect the next time it is + // booted - derby.connection.requireAuthentication is a + // static property. + getConnectionUsingDriverManager(getJDBCUrl( + "wombat","user=neelima;password=lee;shutdown=true;securityMechanism=" + + SECMEC_USRSSBPWD),"USRSSBPWD + BUILTIN (T0):"); + -- Comment needs to be fixed. + + // Turn on BUILTIN authentication <------- + cs = conn.prepareCall( + "CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(?, ?)"); + + cs.setString(1, "derby.connection.requireAuthentication"); + cs.setString(2, "false"); --------------------------- I agree with your responses for #c and #4 in your previous comment to filing jiras for the issues found. Thanks for the great work. Sunitha. > Support for DRDA Strong User ID and Password Substitute Authentication > (USRSSBPWD) scheme > ----------------------------------------------------------------------------------------- > > Key: DERBY-528 > URL: http://issues.apache.org/jira/browse/DERBY-528 > Project: Derby > Issue Type: New Feature > Components: Security > Affects Versions: 10.1.1.0 > Reporter: Francois Orsini > Assigned To: Francois Orsini > Fix For: 10.2.0.0 > > Attachments: 528_diff_v1.txt, 528_diff_v2.txt, 528_diff_v3.txt, > 528_diff_v4.txt, 528_SecMec_Testing_Table.txt, 528_stat_v1.txt, > 528_stat_v2.txt, 528_stat_v3.txt, 528_stat_v4.txt > > > This JIRA will add support for (DRDA) Strong User ID and Password Substitute > Authentication (USRSSBPWD) scheme in the network client/server driver layers. > Current Derby DRDA network client driver supports encrypted userid/password > (EUSRIDPWD) via the use of DH key-agreement protocol - however current Open > Group DRDA specifications imposes small prime and base generator values (256 > bits) that prevents other JCE's to be used as java cryptography providers - > typical minimum security requirements is usually of 1024 bits (512-bit > absolute minimum) when using DH key-agreement protocol to generate a session > key. > Strong User ID and Password Substitute Authentication (USRSSBPWD) is part of > DRDA specifications as another alternative to provide ciphered passwords > across the wire. > Support of USRSSBPWD authentication scheme will enable additional JCE's to > be used when encrypted passwords are required across the wire. > USRSSBPWD authentication scheme will be specified by a Derby network client > user via the securityMechanism property on the connection UR - A new property > value such as ENCRYPTED_PASSWORD_SECURITY will be defined in order to support > this new (DRDA) authentication scheme. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
