[ https://issues.apache.org/jira/browse/DERBY-2470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12484573 ]
Dag H. Wanvik commented on DERBY-2470: -------------------------------------- Discussed this issue a bit with Rick off line, and came to the conclusion that this action should probably be protected by system privileges. The reasoning is as follows: a) If there is no database at the url location, this is really a create database operation. b) if there is an existing database in the url location, the operation involves more than a single database: Only the latter seems the right scope for database level privileges. If one did consider checking against database level (owner) privileges, which database image should determine the ownership of the database, the backup or the url image? (While we can not change ownership right now, that might change.) It seems cleaner to me to make this a system level privilege (DERBY-2109). Linking this issue to DERBY-2109 for reference. > No authentication required to restore a backup > ---------------------------------------------- > > Key: DERBY-2470 > URL: https://issues.apache.org/jira/browse/DERBY-2470 > Project: Derby > Issue Type: Bug > Components: Security > Affects Versions: 10.2.2.0 > Environment: Java 1.6.0-b105 > Linux 2.6.20 i686 > Reporter: Juha Heljoranta > > My Derby has following properties set: > derby.connection.requireAuthentication=true > derby.authentication.provider=BUILTIN > derby.database.defaultConnectionMode=noAccess > derby.database.fullAccessUsers=foo > derby.user.foo=bar > If I'll execute a restore statement from ij the backup will be restored plus > it gives an authentication error: > ij> connect 'jdbc:derby:sample;restoreFrom=backup1'; > ERROR 08004: Connection refused : Invalid authentication > If I add the user and password arguments to the url then the restore works as > before without the error message. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.