Dag H. Wanvik wrote:
Working on DERBY-2264, I notice (again) that booting a database is not protected in any way. Currently, even when authentication (derby.connection.requireAuthentication) is turned on, any user can leave the database in a booted state: If not already booted, the database potentially needs to be booted to authenticate. However, if authentication fails, the database is not shut down again. Thus, an invalid user is allowed to change the database state. I think this is somewhat surprising for an end user. Is there a reason for this behavior? If not, I will file a JIRA for fixing it.
Not sure there's a reason for the behaviour, but I'm not sure the fix is obvious.
1) If a boot with failed authentication shuts the database down, then at least it has to ensure that no valid user has connected to it since it was booted.
2) Having such a request shutdown the database might actually increase the potential of a denial of service attack. More work would be performed for an invalid request, thus consuming more cpu time on the machine.
3) Which "end-user" do you mean above? A remote user can't tell that the database was booted or not so it's not surprising to them. :-)
Dan.
