[
https://issues.apache.org/jira/browse/DERBY-4990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12992145#comment-12992145
]
Thomas Hill commented on DERBY-4990:
------------------------------------
I had made a comment in my initial post stating that the chapter on granting
permissions in the >developer< guide does not, but may be should list this
permission. First response had been "But from reading the
demo/templates/server.policy file it appears that SocketPermissions are added
to derbynet.jar, not derby.jar. So perhaps this topic is not the right place to
add information about the permission needed for LDAP?". The permission needing
to be granted to derby.jar and not derbynet.jar had been clarified later on. So
may be adding a statement also to the developer guide should be reconsidered?
> Documentation should state a custom security policy being required to use
> LDAP in conjunction with network driver
> -----------------------------------------------------------------------------------------------------------------
>
> Key: DERBY-4990
> URL: https://issues.apache.org/jira/browse/DERBY-4990
> Project: Derby
> Issue Type: Task
> Components: Documentation
> Reporter: Thomas Hill
> Assignee: Kim Haase
> Attachments: DERBY-4990.diff, DERBY-4990b.diff,
> tadminnetservcustom.html, tadminnetservcustom.html
>
>
> The documentation is lacking a statement that defining and using a >custom<
> security manager template is required when wanting to use LDAP authorization
> provider in conjunction with the network driver client. driver. Otherwise,
> i.e. just using the default security policy will lead to socket permission
> errors. Details on which permission exactely needs to be granted to which
> code base would be very helpful.
> Chapter 'Running Derby under a security manager', section 'granting
> permissions to Derby' in the Developer's guide seems a good place to mention
> the permission java.net.SocketPermission as optional, but required to be set
> when wanting to use LDAP authorization in conjunction with the network client
> driver and defining the authorisation provider properties as system-level
> properties.
> Adding this to the documentation and preferrably also providing some more
> guidance seems desirable as migrating off the builtin user system to LDAP is
> strongly recommened and the documentation has explicit statements about
> security risks otherwise incurred.
> I also realized that the template included in the documentation at
> http://db.apache.org/derby/docs/10.7/adminguide/tadminnetservbasic.html and
> the default template included in 10.7.1.1 software are no longer in sync.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
