Derby
  1. Derby
  2. DERBY-2736

Connecting with an invalid user identifier performs authentication before rejecting the connection.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4
    • Fix Version/s: None
    • Component/s: Services
    • Urgency:
      Normal
    • Issue & fix info:
      Newcomer, Repro attached
    • Bug behavior facts:
      Security

      Description

      Ideally no authentication attempt should be made because the user identifier is invalid.
      E.g. with this URL

      jdbc:derby:db1;user=123

      the connection attempt will correctly fail but only after the authentication mechanism is called.

      If the application has installed its own UserAuthenticator class then that class will be called with an invalid identifier.
      I believe that the connection request should fail before calling any authentication, developers should only be required
      to handle valid identifiers.

        Issue Links

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Daniel John Debrunner
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Development