Derby
  1. Derby
  2. DERBY-5647

NATIVE warns about password expiry for DBO

    Details

      Description

      The DBO's password cannot expire. Still, NATIVE warns that the password is about to expire.

      ij> connect 'jdbc:derby:authdb;create=true;user=admin';
      ij> call syscs_util.syscs_set_database_property('derby.authentication.native.passwordLifetimeMillis', '100');
      0 rows inserted/updated/deleted
      ij> call syscs_util.syscs_create_user('ADMIN', '%*$');
      0 rows inserted/updated/deleted
      ij> call syscs_util.syscs_set_database_property('derby.authentication.provider', 'NATIVE::LOCAL');
      0 rows inserted/updated/deleted
      ij> connect 'jdbc:derby:authdb;shutdown=true';
      ERROR 08006: Database 'authdb' shutdown.
      ij> connect 'jdbc:derby:authdb;user=admin;password=%*$';
      WARNING 01J15: Your password will expire in 0 day(s). Please use the SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure to change your password.

        Issue Links

          Activity

          Kathey Marsden made changes -
          Labels derby_backport_reject_10_8
          Gavin made changes -
          Workflow jira [ 12657612 ] Default workflow, editable Closed status [ 12797030 ]
          Knut Anders Hatlen made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Rick Hillegas made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Fix Version/s 10.9.0.0 [ 12316344 ]
          Resolution Fixed [ 1 ]
          Rick Hillegas made changes -
          Assignee Rick Hillegas [ rhillegas ]
          Hide
          Rick Hillegas added a comment -

          Thanks for the quick review, Knut. The extra blank also appears in the pre-existing PASSWORD_EXPIRING message. I'm changing both messages as part of DERBY-5648 and I will remove the blanks then. Thanks.

          Show
          Rick Hillegas added a comment - Thanks for the quick review, Knut. The extra blank also appears in the pre-existing PASSWORD_EXPIRING message. I'm changing both messages as part of DERBY-5648 and I will remove the blanks then. Thanks.
          Hide
          Knut Anders Hatlen added a comment -

          Thanks, Rick. The patch looks good to me. Nit: There are two blanks after SYSCS_UTIL.SYSCS_MODIFY_PASSWORD in the new message.

          Show
          Knut Anders Hatlen added a comment - Thanks, Rick. The patch looks good to me. Nit: There are two blanks after SYSCS_UTIL.SYSCS_MODIFY_PASSWORD in the new message.
          Rick Hillegas made changes -
          Attachment derby-5647-01-aa-staleDBOpassword.diff [ 12518185 ]
          Hide
          Rick Hillegas added a comment -

          Attaching derby-5647-01-aa-staleDBOpassword.diff. This patch adds a new warning message for the expiration of the DBO's password, as Knut and Kristian advised. Committed at subversion revision 1300120.

          I'm not clear on whether we should write password expiration warnings to derby.log. As Kristian notes, this could just turn into spam. In addition, I would feel more comfortable about writing this kind of information to a security audit log rather than to the general diagnostic log (and we don't have a separate security audit log yet).

          Touches the following files:

          M java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java
          M java/engine/org/apache/derby/loc/messages.xml
          M java/shared/org/apache/derby/shared/common/reference/SQLState.java
          M java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java

          Show
          Rick Hillegas added a comment - Attaching derby-5647-01-aa-staleDBOpassword.diff. This patch adds a new warning message for the expiration of the DBO's password, as Knut and Kristian advised. Committed at subversion revision 1300120. I'm not clear on whether we should write password expiration warnings to derby.log. As Kristian notes, this could just turn into spam. In addition, I would feel more comfortable about writing this kind of information to a security audit log rather than to the general diagnostic log (and we don't have a separate security audit log yet). Touches the following files: M java/engine/org/apache/derby/impl/jdbc/authentication/NativeAuthenticationServiceImpl.java M java/engine/org/apache/derby/loc/messages.xml M java/shared/org/apache/derby/shared/common/reference/SQLState.java M java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
          Hide
          Kristian Waagan added a comment -

          Hi Rick,

          I find option (3) unacceptable - I'd be very unhappy if I found myself, as the DBO, to be locked out from the database without any way to reset/re-enable my account. A reset mechanism is propably riddled with security issues itself and not suitable in this context.

          Option (1) seems a little awkward for the non-DBO users, since much of the information in the message is irrelevant for them.

          I agree with Knut Anders, and find option (2) the most attractive.
          Have you considered writing a message to derby.log in addition to the SQL warning? This could increase the level of encouragment for changing the password, but we obviously don't want to "spam" the log either.

          Show
          Kristian Waagan added a comment - Hi Rick, I find option (3) unacceptable - I'd be very unhappy if I found myself, as the DBO, to be locked out from the database without any way to reset/re-enable my account. A reset mechanism is propably riddled with security issues itself and not suitable in this context. Option (1) seems a little awkward for the non-DBO users, since much of the information in the message is irrelevant for them. I agree with Knut Anders, and find option (2) the most attractive. Have you considered writing a message to derby.log in addition to the SQL warning? This could increase the level of encouragment for changing the password, but we obviously don't want to "spam" the log either.
          Hide
          Knut Anders Hatlen added a comment -

          I think I'd prefer some form of option (2). Probably no need to have "in X day(s)" in the message, as there is nothing extraordinary that will happen on that exact day. "Your password has become stale. You should update your password soon in order to..."

          Show
          Knut Anders Hatlen added a comment - I think I'd prefer some form of option (2). Probably no need to have "in X day(s)" in the message, as there is nothing extraordinary that will happen on that exact day. "Your password has become stale. You should update your password soon in order to..."
          Rick Hillegas made changes -
          Link This issue relates to DERBY-866 [ DERBY-866 ]
          Hide
          Rick Hillegas added a comment -

          Thanks for buddy-testing NATIVE authentication, Knut.

          This behavior is deliberate although I can see that it is confusing. We want to encourage the DBO to change her password regularly--probably her password is the most important one in the database. However, we don't want to actually lock out the DBO if she goes on vacation and her password expires while she's on the beach. That would orphan the application. I can think of several approaches to this issue:

          1) Change the error message so that it indicates that the DBO's password won't actually expire. Something like:

          Your password will expire in 0 day(s). Please use the SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure to change your password. Note that if you are the database owner, your password will still be valid after the expiration date, but you are urged to update your password.

          2) Produce a different error message if the user is the DBO:

          Your password will become stale in 0 day(s). You should update your password soon in order to protect the database. Please use the SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure to change your password.

          3) Abandon the goal of preventing the DBO from locking herself out. Let the DBO's password truly expire and therefore let the database become truly unusable.

          What are your thoughts?

          Thanks,
          -Rick

          Show
          Rick Hillegas added a comment - Thanks for buddy-testing NATIVE authentication, Knut. This behavior is deliberate although I can see that it is confusing. We want to encourage the DBO to change her password regularly--probably her password is the most important one in the database. However, we don't want to actually lock out the DBO if she goes on vacation and her password expires while she's on the beach. That would orphan the application. I can think of several approaches to this issue: 1) Change the error message so that it indicates that the DBO's password won't actually expire. Something like: Your password will expire in 0 day(s). Please use the SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure to change your password. Note that if you are the database owner, your password will still be valid after the expiration date, but you are urged to update your password. 2) Produce a different error message if the user is the DBO: Your password will become stale in 0 day(s). You should update your password soon in order to protect the database. Please use the SYSCS_UTIL.SYSCS_MODIFY_PASSWORD procedure to change your password. 3) Abandon the goal of preventing the DBO from locking herself out. Let the DBO's password truly expire and therefore let the database become truly unusable. What are your thoughts? Thanks, -Rick
          Knut Anders Hatlen made changes -
          Field Original Value New Value
          Affects Version/s 10.9.0.0 [ 12316344 ]
          Component/s Services [ 11415 ]
          Knut Anders Hatlen created issue -

            People

            • Assignee:
              Rick Hillegas
              Reporter:
              Knut Anders Hatlen
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development