Rick Hillegas wrote:
2) What behavior would we like to see in 10.3 when we control engine
shutdown with Java Security?
I think we need to prevent unauthorized users from bringing down the
network server. I wonder if there is much difference between the power
to shutdown the engine and the power to shutdown the network server? It
makes sense to me that if you don't have the weaker power to shutdown
the engine, then you should not have the stronger power to shutdown the
whole server. Which of the following behaviors seems best:
i) You cannot shutdown the network server if the engine is still running
and/or databases are still open. Instead, first you must connect with
the engine shutdown url and good credentials as a user who has Shutdown
privilege. Once you have brought down the engine this way, then you can
bring down the network server.
It seems a bit cumbersome for a system administrator to have to connect
to every database before shutting down the server.
ii) Network server shutdown needs to require credentials, which can then
be forwarded to the server. If the user authenticates and has Shutdown
privilege, then the server will come down regardless of whether the
engine is up and there are open databases. If the user does not have
Shutdown privilege, then the operation will fail.
I think it is fair to assume that if a persom is authorized to shut down
the server, he/she is also authorized to shut down the databases. In
other words, I vote for this alternative.
--
Øystein
