Hi Francois, thanks for your reply. Please (also) see my reply to Dan.
Francois Orsini <[EMAIL PROTECTED]> writes: > Not sure I understand this completely - What do you mean by "Thus, an > invalid user is allowed to change the database state"? if the database is I meant the boot state, which may be significant for a dba. > booted and left opened, it still requires users to authenticate to get a > valid connection to it, _if_ derby.connection.requireAuthentication was set > to true. The database can stay open as it is required to be online so that > user authentication works...Yes, we could shut it down again if it was not > being booted before *but* then one also has to handle the possibility of > concurrent user authentication requests and if the first one requiring the > db to be booted in the first place, should we shut it down then? I mean yes > we could do and try such a thing but it's not like the database data are > being made available since no invalid user will be able to authenticate > anyway...This is *not* a denial-of-service attack - Again, the db data is > not made available to invalid user(s)... Dag
