Hi Kim. Thanks for picking up this issue.
> Which is the case for this property? I'm guessing it takes effect
> immediately, but I want to make sure.
Yes, the changes take effect immediately.
> I'm not aware of a NONE scheme; for the
> derby.authentication.provider property the possibilities are LDAP,
> BUILTIN, and a Java class name, which I thought also indicated the
> use of an external authentication scheme.
You're right, NONE isn't mentioned in the documentation. There is a
no-op authentication service implementation class called
NoneAuthenticationServiceImpl, and it's sometimes referred to as NONE
in code comments. This is the authentication service that's used when
authentication is disabled. I guess it's clearer if we say
"authentication disabled" instead of "the NONE authentication
> So is it only BUILTIN that you can use strong password substitution
It is possible to use strong password substitution with (old) BUILTIN
and when authentication is turned off. Using password substitution
when authentication is turned off may perhaps not make much sense, but
it is possible (you can specify user name and password when
authentication is disabled, and they will be sent to the server, they
just won't be checked).
Hope this made things clearer.