Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Release Note Needed
-
Security
Description
From an e-mail discussion:
... Derby should match the security provided by typical client server systems such as DB2, Oracle, etc. I
think in this case system/database owners are trusting the database
system to ensure that their system cannot be attacked. So maybe if Derby
is booted as a standalone server with no security manager involved, it
should install one with a default security policy. Thus allowing Derby
to use Java security manager to manage system privileges but not
requiring everyone to become familiar with them.
http://mail-archives.apache.org/mod_mbox/db-derby-dev/200612.mbox/%3c4582FE67.7040308@apache.org%3e
I imagine such a policy would allow any access to databases under derby.system.home and/or user.home.
By standalone I mean the network server was started though the main() method (command line).
Attachments
Attachments
Issue Links
- incorporates
-
DERBY-2362 Add checks to ensure security manager installed by network server by default is as expected.
- Open
-
DERBY-2372 Document the secure-by-default network server
- Closed
- is related to
-
DERBY-3248 SecureServerTest needs cleanup runServerCommand, possibly causing test failures when tests are run through ant.
- Open
-
DERBY-2874 NetworkServer not accepting connections with default security manager on Ipv6 machines
- Closed
-
DERBY-2757 Do not require authentication when bringing up a security manager for the network server
- Closed
- relates to
-
DERBY-2963 AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
- Closed