Derby
  1. Derby
  2. DERBY-3150

BUILTIN authentication does not treat user names set in derby.user. as regular SQL identifiers when not quoted.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.4.1.3
    • Fix Version/s: None
    • Component/s: JDBC
    • Urgency:
      Normal
    • Issue & fix info:
      Repro attached
    • Bug behavior facts:
      Security

      Description

      The documentation for the property derby.user.userName says "User names are SQL92Identifiers and can be delimited." and has examples with delimited identifiers.

      For a regular identifier (non-quoted) the user name to password mapping is not normalized so that the user name is upper-case, this causes login failures when a user name is provided that matches the normalized name, but does not match the value in the property name.

      derby.user.dan=password

      Logging in with user name dan works, but DAN or Dan will not. Note that with any of these user names provided to JDBC, the SQL CURRENT_USER will return DAN.

      jdbc:derby:db;user=dan // ok
      jdbc:derby:db;user=Dan //not ok
      jdbc:derby:db;user=DAN // not ok

      Note that if the user name is normalized then the scheme would have to deal with this situation:

      derby.user.dan=passwordOne
      derby.user.DAN=passwordTwo

      These two properties refer to the same user, but two passwords are being defined.

      Test case in AuthenticationTest with this bug number.

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            Unassigned
            Reporter:
            Daniel John Debrunner
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development