06.03.2016 19:06, Adriano dos Santos Fernandes пишет: > Hi! > > Original FB/Java plugin had a security database where SYSDBA could > define JAAS permissions per users. > > Since Java can read files and do bad things, it's SYSDBA (server admin) > to define these permissions. And since was SYSDBA task to create users, > that was ok. > > No we can have embedded users in databases and database owners (not > SYSDBA) can create users. > > That created a problem in how FB/Java should manage permissions. > > Should the FB/Java security database not mention only user names but > databases too, and how?
Certainly FB/Java security should distinguish users from different security databases. But except different databases we may also have different plugins, and user 'trusted' from security database 'secure', authorized using srp is something different from user 'trusted' from same sec-db, but authorized using legacy auth. In addition there are server-wide plugins (like windows SSPI). I.e. not only database name but also plugin name should be taken into an account. All that information about user is present in att_user->usr_auth_block and can be used by FB/Java security to validate user's rights. ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://makebettercode.com/inteldaal-eval Firebird-Devel mailing list, web interface at https://lists.sourceforge.net/lists/listinfo/firebird-devel