[jira] Commented: (DERBY-3014) Make SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.') return NULL instead of the hash value of the password

Daniel John Debrunner (JIRA) Thu, 14 Feb 2008 09:05:31 -0800

    [ 
https://issues.apache.org/jira/browse/DERBY-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12569000#action_12569000
 ]


Daniel John Debrunner commented on DERBY-3014:
----------------------------------------------

In the patch this code:

 key.substring(0,11).equals("derby.user.")

is really does the key start with "derby.user." Java's String class already has 
a method that implements this, 'startsWith'

thus the code can be simplified to

  key.startsWith("derby.user.")

With Java it's good to read the javadoc of any classes you are using, typically 
any functionality you need already exists.

Then software projects usually have defined constants for any literals they 
need (e.g. Strings and ints). This has several benefits, changing the value of 
the constant requires change in one place, a defined constant provides more 
information that just the literal (e..g READ_COMMITTED instead of 2) when used, 
 finding out which code depends on the constant can be a search on the defined 
constant   instead of the value. Imagine trying to find all code that depended 
on the literal 2 when 2 might represent different concepts in different 
contexts, searching for READ_COMMITTED is much easier.

So in the class org.apache.derby.iapi.reference.Property a defined constant 
already exist: USER_PROPERTY_PREFIX which then changes the code to:
   
key.startsWith(Property.USER_PROPERTY_PREFIX )

There are a couple of ways to find such constants:
  - search through the code and thus gain some more understanding of the code
  - ask a question on derby-dev, folks will be happy to point others in the 
right direction
 
   



> Make SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.<username>')  return 
> NULL instead of the hash value of the password
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3014
>                 URL: https://issues.apache.org/jira/browse/DERBY-3014
>             Project: Derby
>          Issue Type: Improvement
>          Components: Security
>            Reporter: Daniel John Debrunner
>            Assignee: R VIDYA LAKSHMI
>         Attachments: DERBY-3014.diff
>
>
> Increases security by providing less information to any attacker. The current 
> returned hash value could be used in an off-line dictionary based attack to 
> find a valid password.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (DERBY-3014) Make SYSCS_UTIL.SYSCS_GET_DATABASE_PROPERTY('derby.user.') return NULL instead of the hash value of the password

Reply via email to