Derby
  1. Derby
  2. DERBY-3150

BUILTIN authentication does not treat user names set in derby.user. as regular SQL identifiers when not quoted.

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.0.2.0, 10.0.2.1, 10.1.1.0, 10.1.2.1, 10.1.3.1, 10.2.1.6, 10.2.2.0, 10.3.1.4, 10.4.1.3
    • Fix Version/s: None
    • Component/s: JDBC
    • Urgency:
      Normal
    • Issue & fix info:
      Repro attached
    • Bug behavior facts:
      Security

      Description

      The documentation for the property derby.user.userName says "User names are SQL92Identifiers and can be delimited." and has examples with delimited identifiers.

      For a regular identifier (non-quoted) the user name to password mapping is not normalized so that the user name is upper-case, this causes login failures when a user name is provided that matches the normalized name, but does not match the value in the property name.

      derby.user.dan=password

      Logging in with user name dan works, but DAN or Dan will not. Note that with any of these user names provided to JDBC, the SQL CURRENT_USER will return DAN.

      jdbc:derby:db;user=dan // ok
      jdbc:derby:db;user=Dan //not ok
      jdbc:derby:db;user=DAN // not ok

      Note that if the user name is normalized then the scheme would have to deal with this situation:

      derby.user.dan=passwordOne
      derby.user.DAN=passwordTwo

      These two properties refer to the same user, but two passwords are being defined.

      Test case in AuthenticationTest with this bug number.

        Activity

          People

          • Assignee:
            Unassigned
            Reporter:
            Daniel John Debrunner
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:

              Development