Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-2736

Connecting with an invalid user identifier performs authentication before rejecting the connection.

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4
    • Fix Version/s: None
    • Component/s: Services
    • Urgency:
      Normal
    • Issue & fix info:
      Newcomer, Repro attached
    • Bug behavior facts:
      Security

      Description

      Ideally no authentication attempt should be made because the user identifier is invalid.
      E.g. with this URL

      jdbc:derby:db1;user=123

      the connection attempt will correctly fail but only after the authentication mechanism is called.

      If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
      I believe that the connection request should fail before calling any authentication, developers should only be required
      to handle valid identifiers.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                djd Daniel John Debrunner
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: