Derby secure by default

2011-09-19 Thread Rick Hillegas
The Derby developers are considering introducing a single master 
security property. Turning this property on will enable most Derby 
security mechanisms:


1) Authentication - Will be on, requiring username/password credentials 
at connection time. Derby will supply a default authentication mechanism.


2) SQL authorization - Will be on, hiding a user's data from other 
people. In addition, Derby will support more SQL Standard protections 
for Java routines.


3) File permissions - Will be tightened as described by DERBY-5363.

4) PUBLIC -This keyword will not be allowed as a user name.

5) SSL/TLS encryption - Will shield client/server traffic.

6) Server administration -  Will require credentials.

When the property is off, Derby will behave as it does today: 
Authentication, authorization, and network encryption will be off, file 
permissions will inherit defaults from the account which runs the VM, 
PUBLIC will be a legal user name, and server administration won't need 
credentials.


This new master property will make it easier to configure a more secure 
application. We want to introduce the property in an upcoming 10.x 
release, where it will default to being off. That means that it won't 
cause compatibility problems.


Later on, we might change the default for this property so that it would 
normally be turned on. This would make Derby more secure out of the box 
at the cost of breaking existing applications. Many applications would 
need to explicitly turn the property off in order to run as they did 
previously. Release notes would document this behavioral change and we 
would bump the major release id from 10 to 11 in order to call attention 
to the change.


We would like your feedback on this trade-off between security out of 
the box versus disruption. Should this extra security be enabled by default?


Thanks,
-Rick



Re: Derby secure by default

2011-09-19 Thread Peter Ondruška
Rick, I’d vote for secure by default in v.11. Thanks

On Mon, Sep 19, 2011 at 6:39 PM, Rick Hillegas rick.hille...@oracle.com wrote:
 The Derby developers are considering introducing a single master security
 property. Turning this property on will enable most Derby security
 mechanisms:

 1) Authentication - Will be on, requiring username/password credentials at
 connection time. Derby will supply a default authentication mechanism.

 2) SQL authorization - Will be on, hiding a user's data from other people.
 In addition, Derby will support more SQL Standard protections for Java
 routines.

 3) File permissions - Will be tightened as described by DERBY-5363.

 4) PUBLIC -This keyword will not be allowed as a user name.

 5) SSL/TLS encryption - Will shield client/server traffic.

 6) Server administration -  Will require credentials.

 When the property is off, Derby will behave as it does today:
 Authentication, authorization, and network encryption will be off, file
 permissions will inherit defaults from the account which runs the VM, PUBLIC
 will be a legal user name, and server administration won't need credentials.

 This new master property will make it easier to configure a more secure
 application. We want to introduce the property in an upcoming 10.x release,
 where it will default to being off. That means that it won't cause
 compatibility problems.

 Later on, we might change the default for this property so that it would
 normally be turned on. This would make Derby more secure out of the box at
 the cost of breaking existing applications. Many applications would need to
 explicitly turn the property off in order to run as they did previously.
 Release notes would document this behavioral change and we would bump the
 major release id from 10 to 11 in order to call attention to the change.

 We would like your feedback on this trade-off between security out of the
 box versus disruption. Should this extra security be enabled by default?

 Thanks,
 -Rick




RE: Derby secure by default

2011-09-19 Thread Bergquist, Brett
Off by default for the release coming out.  On by default if you want at the 
next major release.

-Original Message-
From: Rick Hillegas [mailto:rick.hille...@oracle.com] 
Sent: Monday, September 19, 2011 12:39 PM
To: Derby Discussion
Subject: Derby secure by default

The Derby developers are considering introducing a single master 
security property. Turning this property on will enable most Derby 
security mechanisms:

1) Authentication - Will be on, requiring username/password credentials 
at connection time. Derby will supply a default authentication mechanism.

2) SQL authorization - Will be on, hiding a user's data from other 
people. In addition, Derby will support more SQL Standard protections 
for Java routines.

3) File permissions - Will be tightened as described by DERBY-5363.

4) PUBLIC -This keyword will not be allowed as a user name.

5) SSL/TLS encryption - Will shield client/server traffic.

6) Server administration -  Will require credentials.

When the property is off, Derby will behave as it does today: 
Authentication, authorization, and network encryption will be off, file 
permissions will inherit defaults from the account which runs the VM, 
PUBLIC will be a legal user name, and server administration won't need 
credentials.

This new master property will make it easier to configure a more secure 
application. We want to introduce the property in an upcoming 10.x 
release, where it will default to being off. That means that it won't 
cause compatibility problems.

Later on, we might change the default for this property so that it would 
normally be turned on. This would make Derby more secure out of the box 
at the cost of breaking existing applications. Many applications would 
need to explicitly turn the property off in order to run as they did 
previously. Release notes would document this behavioral change and we 
would bump the major release id from 10 to 11 in order to call attention 
to the change.

We would like your feedback on this trade-off between security out of 
the box versus disruption. Should this extra security be enabled by default?

Thanks,
-Rick





derby can not reload procedure class? can not use ResultSet.updateRow()?

2011-09-19 Thread 雷暴
nice to contact every one,This is my first time to mail in english,please 
forgive me.
  
 #1.It seems that when procedure in  a class was loaded, drop and reloaded, the 
changes of JAR file havn't take effected!
  
 eg script:
 drop PROCEDURE test;
call sqlj.remove_jar('admin.creaateClient', 0);
call sqlj.install_jar('export\testproc.jar','admin.creaateClient', 0);
CREATE PROCEDURE test( IN orgID INTEGER, 
 IN groupID INTEGER, 
 IN name varchar(60),
 IN faceFileID bigint,
 IN recStatus smallint,
 IN creator bigint
   ) 
PARAMETER STYLE JAVA READS SQL DATA LANGUAGE JAVA 
EXTERNAL NAME 'com.bana.commonServer.procedure.Client_info.creaateClient';
call test(1,2,'name',4,5,6);
 -- code ended
  
  
 when I change and re-complie the JAR ( a little changes of logic,nothing of 
the other changeed), I repeat the script but the logic is the old one...囧  
  
 #2  
sql = SELECT groupSize,seq from SEQ where seqType =101 and orgID =? and 
groupID =? ;
   pSeq= connection.prepareStatement(sql, 
ResultSet.TYPE_FORWARD_ONLY,ResultSet.CONCUR_UPDATABLE);
   pSeq.setInt(1, orgID);
   pSeq.setInt(2, groupID);
   System.out.println( exe SQL:+sql);
   rs = pSeq.executeQuery();
   if(rs.next()){
groupSize =rs.getInt(1);
seq = rs.getInt(2);
System.out.println(seq:+seq);

if(seq=groupSize){
 //returnCode[0] =4002;
  return;
}
System.out.println(groupSize:+groupSize);
rs.updateInt(seq, seq+1); /not executed
rs.updateRow();//not executed
System.out.println(update:+seq+1);//not executed

  
 the return message is:
 The exception 'java.sql.SQLException: ' was thrown while evaluating an 
expression.

 I try the same code in independent java source and execute passed.I feel 
confused ,It my first time to try derby
 I look forward to your reply.thank you for you intention.

Re: Derby secure by default

2011-09-19 Thread Mike Matrigali
I am not sure how it applies to all of these points, but I am wondering 
if secure by default should be implemented on a per database basis 
rather than a system level basis?  It seems wierd that security could

change based on how the next embedded startup set a flag.

What about having the property be part of what user requests at database
creation time?  And maybe allow some secure way either disable or enable 
it.  The discussion could continue on what the default for a newly 
created database would be.  At least for point 1-4 seems to make more 
sense, not sure about 5,6.


I personally think many of these points make most sense for derby 
network server.  While many possibly get in the way for many zero-admin

embedded applications.  Since we have one codeline for the most part
for both it is hard to have one default.


Rick Hillegas wrote:
The Derby developers are considering introducing a single master 
security property. Turning this property on will enable most Derby 
security mechanisms:


1) Authentication - Will be on, requiring username/password credentials 
at connection time. Derby will supply a default authentication mechanism.


2) SQL authorization - Will be on, hiding a user's data from other 
people. In addition, Derby will support more SQL Standard protections 
for Java routines.


3) File permissions - Will be tightened as described by DERBY-5363.

4) PUBLIC -This keyword will not be allowed as a user name.

5) SSL/TLS encryption - Will shield client/server traffic.

6) Server administration -  Will require credentials.

When the property is off, Derby will behave as it does today: 
Authentication, authorization, and network encryption will be off, file 
permissions will inherit defaults from the account which runs the VM, 
PUBLIC will be a legal user name, and server administration won't need 
credentials.


This new master property will make it easier to configure a more secure 
application. We want to introduce the property in an upcoming 10.x 
release, where it will default to being off. That means that it won't 
cause compatibility problems.


Later on, we might change the default for this property so that it would 
normally be turned on. This would make Derby more secure out of the box 
at the cost of breaking existing applications. Many applications would 
need to explicitly turn the property off in order to run as they did 
previously. Release notes would document this behavioral change and we 
would bump the major release id from 10 to 11 in order to call attention 
to the change.


We would like your feedback on this trade-off between security out of 
the box versus disruption. Should this extra security be enabled by 
default?


Thanks,
-Rick






Re: Derby secure by default

2011-09-19 Thread Roy . Minet
Installing a new version should always be backward compatible and not break 
anything in existing applications.  If things don't work this way, it's bound 
to be (unncessarily) disruptive to some, and especial ly those less 
sophisticated and less able to figure out and fix problems.   I see no reason 
why anyon e who wishes to utilize the new capabil ities would have any problem 
with setting the new property when they are ready to do so.  Security is 
obviously important, especially for networked applications.  I think it's also 
important not to do anything that interferes with embedded 
applications designed to  require ZERO administration. 

- Original Message -
From: Rick Hillegas rick.hille...@oracle.com 
To: Derby Discussion derby-user@db.apache.org 
Sent: Monday, September 19, 2011 12:39:07 PM 
Subject: Derby secure by default 

The Derby developers are considering introducing a single master 
security property. Turning this property on will enable most Derby 
security mechanisms: 

1) Authentication - Will be on, requiring username/password credentials 
at connection time. Derby will supply a default authentication mechanism. 

2) SQL authorization - Will be on, hiding a user's data from other 
people. In addition, Derby will support more SQL Standard protections 
for Java routines. 

3) File permissions - Will be tightened as described by DERBY-5363. 

4) PUBLIC -This keyword will not be allowed as a user name. 

5) SSL/TLS encryption - Will shield client/server traffic. 

6) Server administration -  Will require credentials. 

When the property is off, Derby will behave as it does today: 
Authentication, authorization, and network encryption will be off, file 
permissions will inherit defaults from the account which runs the VM, 
PUBLIC will be a legal user name, and server administration won't need 
credentials. 

This new master property will make it easier to configure a more secure 
application. We want to introduce the property in an upcoming 10.x 
release, where it will default to being off. That means that it won't 
cause compatibility problems. 

Later on, we might change the default for this property so that it would 
normally be turned on. This would make Derby more secure out of the box 
at the cost of breaking existing applications. Many applications would 
need to explicitly turn the property off in order to run as they did 
previously. Release notes would document this behavioral change and we 
would bump the major release id from 10 to 11 in order to call attention 
to the change. 

We would like your feedback on this trade-off between security out of 
the box versus disruption. Should this extra security be enabled by default? 

Thanks, 
-Rick 



Re: Derby secure by default

2011-09-19 Thread Rick Hillegas

Hi Mike,

Some comments inline...

On 9/19/11 10:38 AM, Mike Matrigali wrote:
I am not sure how it applies to all of these points, but I am 
wondering if secure by default should be implemented on a per database 
basis rather than a system level basis?  It seems wierd that security 
could

change based on how the next embedded startup set a flag.
I think that it should behave like derby.database.sqlAuthorization: once 
it's been turned on it is stored in the database and you can't turn it 
off at the system level. I agree that it would be weird to let the next 
user subvert the security of your database by flipping a command line 
switch.


What about having the property be part of what user requests at database
creation time?  And maybe allow some secure way either disable or 
enable it.  The discussion could continue on what the default for a 
newly created database would be.  At least for point 1-4 seems to make 
more sense, not sure about 5,6.


I personally think many of these points make most sense for derby 
network server.
I'm also concerned about the embedded database on a USB stick. I could 
argue that it is more vulnerable than the server-side database locked up 
in a machine room.

While many possibly get in the way for many zero-admin
embedded applications.
I'm imagining that this change may be fairly unobtrusive. For an 
embedded database which has only one user (the dbo), the big change is 
that the dbo has to specify a username and password. There won't be any 
need to GRANT access to other users so (2) won't be noticed. Items (3) 
and (4) won't burden most applications. (5) and (6) are only issues for 
client/server usage.

  Since we have one codeline for the most part
for both it is hard to have one default.
I agree that a common default would be best. It will make it easier to 
reason about Derby's behavior and simplify our user guides.


Thanks,
-Rick



Rick Hillegas wrote:
The Derby developers are considering introducing a single master 
security property. Turning this property on will enable most Derby 
security mechanisms:


1) Authentication - Will be on, requiring username/password 
credentials at connection time. Derby will supply a default 
authentication mechanism.


2) SQL authorization - Will be on, hiding a user's data from other 
people. In addition, Derby will support more SQL Standard protections 
for Java routines.


3) File permissions - Will be tightened as described by DERBY-5363.

4) PUBLIC -This keyword will not be allowed as a user name.

5) SSL/TLS encryption - Will shield client/server traffic.

6) Server administration -  Will require credentials.

When the property is off, Derby will behave as it does today: 
Authentication, authorization, and network encryption will be off, 
file permissions will inherit defaults from the account which runs 
the VM, PUBLIC will be a legal user name, and server administration 
won't need credentials.


This new master property will make it easier to configure a more 
secure application. We want to introduce the property in an upcoming 
10.x release, where it will default to being off. That means that it 
won't cause compatibility problems.


Later on, we might change the default for this property so that it 
would normally be turned on. This would make Derby more secure out of 
the box at the cost of breaking existing applications. Many 
applications would need to explicitly turn the property off in order 
to run as they did previously. Release notes would document this 
behavioral change and we would bump the major release id from 10 to 
11 in order to call attention to the change.


We would like your feedback on this trade-off between security out of 
the box versus disruption. Should this extra security be enabled by 
default?


Thanks,
-Rick









Re: Derby secure by default

2011-09-19 Thread José Ventura
(perhaps this has already been discussed in the devs' mailing list, if so,
forgive my ignorance).

I'm not sure whether making the default value on will actually improve
security as a whole. If a developer hasn't given thought to security, there
are plenty of other pitfalls that may compromise an application (e.g. where
should I store the (previously unneeded yet now required) username and
password?).

On the other hand, if s/he did in fact think about security, then odds are
that are a simple, concise documentation will point him/her to happily turn
on the switch with minimum nuisance, and proceed to secure the rest of the
application.

@Roy:
I believe that, since the change would happen in a next major release (11
vs. current 10.x), backwards compatibility wouldn't be *required* (but would
certainly be *appreciated*).

On Mon, Sep 19, 2011 at 4:55 PM, Rick Hillegas rick.hille...@oracle.comwrote:

 Hi Mike,

 Some comments inline...

 On 9/19/11 10:38 AM, Mike Matrigali wrote:

 I am not sure how it applies to all of these points, but I am wondering if
 secure by default should be implemented on a per database basis rather than
 a system level basis?  It seems wierd that security could
 change based on how the next embedded startup set a flag.

 I think that it should behave like derby.database.**sqlAuthorization: once
 it's been turned on it is stored in the database and you can't turn it off
 at the system level. I agree that it would be weird to let the next user
 subvert the security of your database by flipping a command line switch.


 What about having the property be part of what user requests at database
 creation time?  And maybe allow some secure way either disable or enable
 it.  The discussion could continue on what the default for a newly created
 database would be.  At least for point 1-4 seems to make more sense, not
 sure about 5,6.

 I personally think many of these points make most sense for derby network
 server.

 I'm also concerned about the embedded database on a USB stick. I could
 argue that it is more vulnerable than the server-side database locked up in
 a machine room.

 While many possibly get in the way for many zero-admin
 embedded applications.

 I'm imagining that this change may be fairly unobtrusive. For an embedded
 database which has only one user (the dbo), the big change is that the dbo
 has to specify a username and password. There won't be any need to GRANT
 access to other users so (2) won't be noticed. Items (3) and (4) won't
 burden most applications. (5) and (6) are only issues for client/server
 usage.

  Since we have one codeline for the most part
 for both it is hard to have one default.

 I agree that a common default would be best. It will make it easier to
 reason about Derby's behavior and simplify our user guides.

 Thanks,
 -Rick



 Rick Hillegas wrote:

 The Derby developers are considering introducing a single master security
 property. Turning this property on will enable most Derby security
 mechanisms:

 1) Authentication - Will be on, requiring username/password credentials
 at connection time. Derby will supply a default authentication mechanism.

 2) SQL authorization - Will be on, hiding a user's data from other
 people. In addition, Derby will support more SQL Standard protections for
 Java routines.

 3) File permissions - Will be tightened as described by DERBY-5363.

 4) PUBLIC -This keyword will not be allowed as a user name.

 5) SSL/TLS encryption - Will shield client/server traffic.

 6) Server administration -  Will require credentials.

 When the property is off, Derby will behave as it does today:
 Authentication, authorization, and network encryption will be off, file
 permissions will inherit defaults from the account which runs the VM, PUBLIC
 will be a legal user name, and server administration won't need credentials.

 This new master property will make it easier to configure a more secure
 application. We want to introduce the property in an upcoming 10.x release,
 where it will default to being off. That means that it won't cause
 compatibility problems.

 Later on, we might change the default for this property so that it would
 normally be turned on. This would make Derby more secure out of the box at
 the cost of breaking existing applications. Many applications would need to
 explicitly turn the property off in order to run as they did previously.
 Release notes would document this behavioral change and we would bump the
 major release id from 10 to 11 in order to call attention to the change.

 We would like your feedback on this trade-off between security out of the
 box versus disruption. Should this extra security be enabled by default?

 Thanks,
 -Rick








Re: Derby secure by default

2011-09-19 Thread Matt Pouttu-Clarke
Embedded applications have to secure their own points of entry and turning
Derby security on by default will do nothing.  Unless the Java security
manager is active, everything is wide open via the reflection APIs when you
are embedded in-process with the database.

Best-guess for me would be if the Java security manager is turned on then
enable default security for the database, whether you are in network server
mode or embedded mode.  If people want to tolerate the overhead of security
manager calls in order to prevent malware in the JVM then they would also
most likely also be willing to tolerate the additional overhead of Derby
security by default.

Just a thought...

Cheers,
Matt

On 9/19/11 1:20 PM, José Ventura st.ne...@gmail.com wrote:

 (perhaps this has already been discussed in the devs' mailing list, if so,
 forgive my ignorance).
 
 I'm not sure whether making the default value on will actually improve
 security as a whole. If a developer hasn't given thought to security, there
 are plenty of other pitfalls that may compromise an application (e.g. where
 should I store the (previously unneeded yet now required) username and
 password?).
 
 On the other hand, if s/he did in fact think about security, then odds are
 that are a simple, concise documentation will point him/her to happily turn on
 the switch with minimum nuisance, and proceed to secure the rest of the
 application.
 
 @Roy:
 I believe that, since the change would happen in a next major release (11 vs.
 current 10.x), backwards compatibility wouldn't be *required* (but would
 certainly be *appreciated*).
 
 On Mon, Sep 19, 2011 at 4:55 PM, Rick Hillegas rick.hille...@oracle.com
 wrote:
 Hi Mike,
 
 Some comments inline...
 
 On 9/19/11 10:38 AM, Mike Matrigali wrote:
 I am not sure how it applies to all of these points, but I am wondering if
 secure by default should be implemented on a per database basis rather than
 a system level basis?  It seems wierd that security could
 change based on how the next embedded startup set a flag.
 I think that it should behave like derby.database.sqlAuthorization: once it's
 been turned on it is stored in the database and you can't turn it off at the
 system level. I agree that it would be weird to let the next user subvert the
 security of your database by flipping a command line switch.
 
 What about having the property be part of what user requests at database
 creation time?  And maybe allow some secure way either disable or enable it.
  The discussion could continue on what the default for a newly created
 database would be.  At least for point 1-4 seems to make more sense, not
 sure about 5,6.
 
 I personally think many of these points make most sense for derby network
 server.
 I'm also concerned about the embedded database on a USB stick. I could argue
 that it is more vulnerable than the server-side database locked up in a
 machine room.
 While many possibly get in the way for many zero-admin
 embedded applications.
 I'm imagining that this change may be fairly unobtrusive. For an embedded
 database which has only one user (the dbo), the big change is that the dbo
 has to specify a username and password. There won't be any need to GRANT
 access to other users so (2) won't be noticed. Items (3) and (4) won't burden
 most applications. (5) and (6) are only issues for client/server usage.
   Since we have one codeline for the most part
 for both it is hard to have one default.
 I agree that a common default would be best. It will make it easier to reason
 about Derby's behavior and simplify our user guides.
 
 Thanks,
 -Rick
 
 
 
 Rick Hillegas wrote:
 The Derby developers are considering introducing a single master security
 property. Turning this property on will enable most Derby security
 mechanisms:
 
 1) Authentication - Will be on, requiring username/password credentials at
 connection time. Derby will supply a default authentication mechanism.
 
 2) SQL authorization - Will be on, hiding a user's data from other people.
 In addition, Derby will support more SQL Standard protections for Java
 routines.
 
 3) File permissions - Will be tightened as described by DERBY-5363.
 
 4) PUBLIC -This keyword will not be allowed as a user name.
 
 5) SSL/TLS encryption - Will shield client/server traffic.
 
 6) Server administration -  Will require credentials.
 
 When the property is off, Derby will behave as it does today:
 Authentication, authorization, and network encryption will be off, file
 permissions will inherit defaults from the account which runs the VM,
 PUBLIC will be a legal user name, and server administration won't need
 credentials.
 
 This new master property will make it easier to configure a more secure
 application. We want to introduce the property in an upcoming 10.x release,
 where it will default to being off. That means that it won't cause
 compatibility problems.
 
 Later on, we might change the default for this property so that it would
 normally be turned on. 

Re: Derby secure by default

2011-09-19 Thread Mike Matrigali

Rick Hillegas wrote:

I'm also concerned about the embedded database on a USB stick. I could 
argue that it is more vulnerable than the server-side database locked up 
in a machine room.


Derby has one answer to this issue and that is encrypted databases.  I 
don't think anything other than that is secure.  Because if you lose 
ownership of the files anyone can use a version of the open source 
software to look at the data no matter what you do with authentication 
or authorization.  I sort of doubt even file permissions would help

if someone has physical control of the device and can mount it anywhere.

Having said that, I don't want to also enable encryption by default for
embedded derby.  It is unnecessary for many applications and imposes
performance degredation and application complexity.

Historically Derby was never meant to be secure.  It was designed to
be embedded and for owning applications to handle security.  Early on
the issue of losing ownership of the files was considered and so 
encrytion was added.  Eventually client/server was added and even later

sql authorization, but it was not expected to be used in general for
embedded applications.


While many possibly get in the way for many zero-admin
embedded applications.
I'm imagining that this change may be fairly unobtrusive. For an 
embedded database which has only one user (the dbo), the big change is 
that the dbo has to specify a username and password. There won't be any 
need to GRANT access to other users so (2) won't be noticed. Items (3) 
and (4) won't burden most applications. (5) and (6) are only issues for 
client/server usage.


In many cases I don't think this is true.   I know users I work with 
currently run an embedded derby application as a number of different 
users and their current application does not use authentication or 
authorization.  As with other files used by the application they manage

access to db files as appropriate for their application.


  Since we have one codeline for the most part
for both it is hard to have one default.
I agree that a common default would be best. It will make it easier to 
reason about Derby's behavior and simplify our user guides.


Thanks,
-Rick



Rick Hillegas wrote:
The Derby developers are considering introducing a single master 
security property. Turning this property on will enable most Derby 
security mechanisms:


1) Authentication - Will be on, requiring username/password 
credentials at connection time. Derby will supply a default 
authentication mechanism.


2) SQL authorization - Will be on, hiding a user's data from other 
people. In addition, Derby will support more SQL Standard protections 
for Java routines.


3) File permissions - Will be tightened as described by DERBY-5363.

4) PUBLIC -This keyword will not be allowed as a user name.

5) SSL/TLS encryption - Will shield client/server traffic.

6) Server administration -  Will require credentials.

When the property is off, Derby will behave as it does today: 
Authentication, authorization, and network encryption will be off, 
file permissions will inherit defaults from the account which runs 
the VM, PUBLIC will be a legal user name, and server administration 
won't need credentials.


This new master property will make it easier to configure a more 
secure application. We want to introduce the property in an upcoming 
10.x release, where it will default to being off. That means that it 
won't cause compatibility problems.


Later on, we might change the default for this property so that it 
would normally be turned on. This would make Derby more secure out of 
the box at the cost of breaking existing applications. Many 
applications would need to explicitly turn the property off in order 
to run as they did previously. Release notes would document this 
behavioral change and we would bump the major release id from 10 to 
11 in order to call attention to the change.


We would like your feedback on this trade-off between security out of 
the box versus disruption. Should this extra security be enabled by 
default?


Thanks,
-Rick












Re: Derby secure by default

2011-09-19 Thread Mike Matrigali

Rick Hillegas wrote:

Hi Mike,

Some comments inline...

On 9/19/11 10:38 AM, Mike Matrigali wrote:
I am not sure how it applies to all of these points, but I am 
wondering if secure by default should be implemented on a per database 
basis rather than a system level basis?  It seems wierd that security 
could

change based on how the next embedded startup set a flag.
I think that it should behave like derby.database.sqlAuthorization: once 
it's been turned on it is stored in the database and you can't turn it 
off at the system level. I agree that it would be weird to let the next 
user subvert the security of your database by flipping a command line 
switch.
I am trying to understand what happens when we change the default and a 
user upgrades to 11 and starts up on there existing database that has no
authentication or authorization enabled.  What is the proposed soft 
upgrade behavior?  What is the proposed hard upgrade behavior?


This is a development detail but what is proposed for the existing derby
set of tests, which I have to assume are about 99% not authenticated or
authorized?  Would we implement a way to run them both ways?  Convert 
them all or most to run under new default?




Re: Derby secure by default

2011-09-19 Thread Mike Matrigali

roy.mi...@comcast.net wrote:
Installing a new version should always be backward compatible and not 
break anything in existing applications.  If things don't work this way, 
it's bound to be (unncessarily) disruptive to some, and especially those 
less sophisticated and less able to figure out and fix problems.  I see 
no reason why anyone who wishes to utilize the new capabilities would 
have any problem with setting the new property when they are ready to do 
so.  Security is obviously important, especially for networked 
applications.  I think it's also important not to do anything that 
interferes with embedded applications designed to require ZERO 
administration.



+1

I think that new features that rick is proposing are valuable to some
set of Derby users, and welcome their inclusion in Derby.  Having one
flag to enable a set of secure oriented features also seems reasonable
as long as users can still pick and choose if they don't want the 
complete set.  I don't think

they should be made the default in the current release or a future release.

I believe zero admin upgrade/backward compatibility has been a great 
feature for Derby so far and we should do whatever we can to not break 
it going forward.  It seems like applications that need this feature set
can set the appropriate flag going forward and then do the work to 
properly configure authentication and authorization, ssl encryption 
passwords, and other server administration.  Since there is extra work

necessary to use these features it seems reasonable to put to work on
these applications to set the flag rather than put the work on the 
zero-admin applications that do not need these features.


By default Derby should be zero admin and thus default to not requiring
this extra administration.




*From: *Rick Hillegas rick.hille...@oracle.com
*To: *Derby Discussion derby-user@db.apache.org
*Sent: *Monday, September 19, 2011 12:39:07 PM
*Subject: *Derby secure by default

The Derby developers are considering introducing a single master
security property. Turning this property on will enable most Derby
security mechanisms:

1) Authentication - Will be on, requiring username/password credentials
at connection time. Derby will supply a default authentication mechanism.

2) SQL authorization - Will be on, hiding a user's data from other
people. In addition, Derby will support more SQL Standard protections
for Java routines.

3) File permissions - Will be tightened as described by DERBY-5363.

4) PUBLIC -This keyword will not be allowed as a user name.

5) SSL/TLS encryption - Will shield client/server traffic.

6) Server administration -  Will require credentials.

When the property is off, Derby will behave as it does today:
Authentication, authorization, and network encryption will be off, file
permissions will inherit defaults from the account which runs the VM,
PUBLIC will be a legal user name, and server administration won't need
credentials.

This new master property will make it easier to configure a more secure
application. We want to introduce the property in an upcoming 10.x
release, where it will default to being off. That means that it won't
cause compatibility problems.

Later on, we might change the default for this property so that it would
normally be turned on. This would make Derby more secure out of the box
at the cost of breaking existing applications. Many applications would
need to explicitly turn the property off in order to run as they did
previously. Release notes would document this behavioral change and we
would bump the major release id from 10 to 11 in order to call attention
to the change.

We would like your feedback on this trade-off between security out of
the box versus disruption. Should this extra security be enabled by default?

Thanks,
-Rick





Re: Derby secure by default

2011-09-19 Thread Kathey Marsden

On 9/19/2011 1:20 PM, José Ventura wrote:


I'm not sure whether making the default value on will actually 
improve security as a whole. If a developer hasn't given thought to 
security, there are plenty of other pitfalls that may compromise an 
application (e.g. where should I store the (previously unneeded yet 
now required) username and password?).


On the other hand, if s/he did in fact think about security, then odds 
are that are a simple, concise documentation will point him/her to 
happily turn on the switch with minimum nuisance, and proceed to 
secure the rest of the application.


I think this is a very good point. The claim of   secure by default is 
a very strong claim  and may give a false sense of overall security. 
Some things, like encryption and perhaps stricter security manager 
settings are not part of the default, but might be an important part of 
actually securing a particular application.  I agree it is good for the 
application developer to plan security and for us to make it as easy as 
possible for them to do so from a Derby perspective.


 Perhaps the conversation of the default is premature.  Perhaps we 
should first nail down the easy security knob and  understand its 
behavior and usefulness and then discuss whether it should/could  be the 
default.

Kathey