Derby
  1. Derby
  2. DERBY-3150

BUILTIN authentication does not treat user names set in derby.user. as regular SQL identifiers when not quoted.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.4.1.3
    • Fix Version/s: None
    • Component/s: JDBC
    • Urgency:
      Normal
    • Issue & fix info:
      Repro attached
    • Bug behavior facts:
      Security

      Description

      The documentation for the property derby.user.userName says "User names are SQL92Identifiers and can be delimited." and has examples with delimited identifiers.

      For a regular identifier (non-quoted) the user name to password mapping is not normalized so that the user name is upper-case, this causes login failures when a user name is provided that matches the normalized name, but does not match the value in the property name.

      derby.user.dan=password

      Logging in with user name dan works, but DAN or Dan will not. Note that with any of these user names provided to JDBC, the SQL CURRENT_USER will return DAN.

      jdbc:derby:db;user=dan // ok
      jdbc:derby:db;user=Dan //not ok
      jdbc:derby:db;user=DAN // not ok

      Note that if the user name is normalized then the scheme would have to deal with this situation:

      derby.user.dan=passwordOne
      derby.user.DAN=passwordTwo

      These two properties refer to the same user, but two passwords are being defined.

      Test case in AuthenticationTest with this bug number.

        Activity

        Hide
        Kathey Marsden added a comment -

        Triaged for 10.5.2. Set normal urgency.

        Show
        Kathey Marsden added a comment - Triaged for 10.5.2. Set normal urgency.
        Hide
        Dag H. Wanvik added a comment -

        svn 588304 introduced a javadoc warning:
        [javadoc] ../java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java:363: warning - @param argument "conn" is not a parameter name.

        Show
        Dag H. Wanvik added a comment - svn 588304 introduced a javadoc warning: [javadoc] ../java/testing/org/apache/derbyTesting/functionTests/tests/jdbcapi/AuthenticationTest.java:363: warning - @param argument "conn" is not a parameter name.
        Hide
        Daniel John Debrunner added a comment -

        Same issue if the connection request is made with the quoted identifier that maps to the upper-case form of the regular identifier, e.g.

        jdbc:derby:db;user="DAN" // no ok

        Show
        Daniel John Debrunner added a comment - Same issue if the connection request is made with the quoted identifier that maps to the upper-case form of the regular identifier, e.g. jdbc:derby:db;user="DAN" // no ok

          People

          • Assignee:
            Unassigned
            Reporter:
            Daniel John Debrunner
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development