Example 1 with AuthenticationService
use of org.apache.derby.iapi.jdbc.AuthenticationService in project derby by apache.
the class DRDAConnThread method validateSecMecUSRSSBPWD.
/**
* Validate SECMEC_USRSSBPWD (Strong Password Substitute) can be used as
* DRDA security mechanism.
*
* Here we check that the target server can support SECMEC_USRSSBPWD
* security mechanism based on the environment, application
* requester's identity (PRDID) and connection URL.
*
* IMPORTANT NOTE:
* --------------
* SECMEC_USRSSBPWD is ONLY supported by the target server if:
* - current authentication provider is Derby BUILTIN or
* NONE. (database / system level) (Phase I)
* - database-level password must have been encrypted with the
* SHA-1 based authentication scheme
* - Application requester is 'DNC' (Derby Network Client)
* (Phase I)
*
* @return security check code - 0 if everything O.K.
*/
private int validateSecMecUSRSSBPWD() throws DRDAProtocolException {
AuthenticationService authenticationService = null;
org.apache.derby.iapi.db.Database databaseObj = null;
String srvrlslv = appRequester.srvrlslv;
// SECMEC_USRSSBPWD cannot be supported for this connection.
if ((srvrlslv == null) || (srvrlslv.length() == 0) || (srvrlslv.length() < CodePoint.PRDID_MAX) || (srvrlslv.indexOf(DRDAConstants.DERBY_DRDA_CLIENT_ID) == -1)) {
// Not Supported
return CodePoint.SECCHKCD_NOTSUPPORTED;
}
// Client product version is extracted from the srvrlslv field.
// srvrlslv has the format <PRDID>/<ALTERNATE VERSION FORMAT>
// typically, a known Derby client has a four part version number
// with a pattern such as DNC10020/10.2.0.3 alpha. If the alternate
// version format is not specified, clientProductVersion_ will just
// be set to the srvrlslvl. Final fallback will be the product id.
//
// SECMEC_USRSSBPWD is only supported by the Derby engine and network
// server code starting at version major '10' and minor '02'. Hence,
// as this is the same for the derby client driver, we need to ensure
// our DNC client is at version and release level of 10.2 at least.
// We set the client version in the application requester and check
// if it is at the level we require at a minimum.
appRequester.setClientVersion(srvrlslv.substring(0, (int) CodePoint.PRDID_MAX));
if (appRequester.supportsSecMecUSRSSBPWD() == false) {
// Not Supported
return CodePoint.SECCHKCD_NOTSUPPORTED;
}
String dbName = database.getShortDbName();
// 'DNC' client)
if ((dbName == null) || (dbName.length() == 0)) {
// No database specified in the connection URL attributes
//
// In this case, we get the authentication service handle from the
// local driver, as the requester may simply be trying to shutdown
// the engine.
authenticationService = ((InternalDriver) NetworkServerControlImpl.getDriver()).getAuthenticationService();
} else {
// returns null and no Derby database has been booted.
if (getMonitor() != null) {
databaseObj = (org.apache.derby.iapi.db.Database) findService(Property.DATABASE_MODULE, dbName);
}
if (databaseObj == null) {
// If database is not found, try connecting to it.
database.makeDummyConnection();
// now try to find it again
databaseObj = (org.apache.derby.iapi.db.Database) findService(Property.DATABASE_MODULE, dbName);
}
// it.
try {
if (databaseObj != null) {
authenticationService = databaseObj.getAuthenticationService();
}
} catch (StandardException se) {
println2Log(null, session.drdaID, se.getMessage());
// Local security service non-retryable error.
return CodePoint.SECCHKCD_0A;
}
}
// Now we check if the authentication provider is NONE or BUILTIN
if (authenticationService != null) {
String authClassName = authenticationService.getClass().getName();
if (!authClassName.equals(AUTHENTICATION_PROVIDER_BUILTIN_CLASS) && !authClassName.equals(AUTHENTICATION_PROVIDER_NONE_CLASS)) {
// Not Supported
return CodePoint.SECCHKCD_NOTSUPPORTED;
}
}
// SECMEC_USRSSBPWD target initialization
try {
myTargetSeed = DecryptionManager.generateSeed();
database.secTokenOut = myTargetSeed;
} catch (SQLException se) {
println2Log(null, session.drdaID, se.getMessage());
// Local security service non-retryable error.
return CodePoint.SECCHKCD_0A;
}
// SECMEC_USRSSBPWD is supported
return 0;
}
Also used :
StandardException(org.apache.derby.shared.common.error.StandardException)
SQLException(java.sql.SQLException)
AuthenticationService(org.apache.derby.iapi.jdbc.AuthenticationService)
Example 2 with AuthenticationService
use of org.apache.derby.iapi.jdbc.AuthenticationService in project derby by apache.
the class EmbedConnection method checkUserCredentials.
//
// Check passed-in user's credentials.
//
private void checkUserCredentials(boolean creatingDatabase, String dbname, Properties userInfo) throws SQLException {
if (SanityManager.DEBUG)
SanityManager.ASSERT(!isClosed(), "connection is closed");
// If a database name was passed-in then check user's credential
// in that database using the database's authentication service,
// otherwise check if it is a valid user in the JBMS system.
//
// NOTE: We always expect an authentication service per database
// and one at the system level.
//
AuthenticationService authenticationService = null;
try {
// Retrieve appropriate authentication service handle
if (dbname == null)
authenticationService = getLocalDriver().getAuthenticationService();
else
authenticationService = getTR().getDatabase().getAuthenticationService();
} catch (StandardException se) {
throw Util.generateCsSQLException(se);
}
// it is _always_ expected.
if (authenticationService == null) {
String failedString = MessageService.getTextMessage((dbname == null) ? MessageId.AUTH_NO_SERVICE_FOR_SYSTEM : MessageId.AUTH_NO_SERVICE_FOR_DB);
throw newSQLException(SQLState.LOGIN_FAILED, failedString);
}
//
if (creatingDatabase && compareDatabaseNames(getDBName(), authenticationService.getSystemCredentialsDatabaseName())) {
//
// NATIVE authentication using a system-wide credentials database
// which is being created now. Allow this to succeed. However, here we make sure that
// the credentials are legal. This prevents the credentials db from being
// created with a bad DBO or password.
//
String user = userInfo.getProperty(Attribute.USERNAME_ATTR);
String password = userInfo.getProperty(Attribute.PASSWORD_ATTR);
if (emptyCredential(user) || emptyCredential(password)) {
throw newSQLException(SQLState.AUTH_EMPTY_CREDENTIALS);
}
return;
}
if (dbname != null) {
checkUserIsNotARole();
}
// Let's authenticate now
boolean authenticationSucceeded = true;
try {
authenticationSucceeded = authenticationService.authenticate(dbname, userInfo);
} catch (SQLWarning warnings) {
//
// Let the user handle the warning that her password is about to expire.
//
addWarning(warnings);
}
if (!authenticationSucceeded) {
throw newSQLException(SQLState.NET_CONNECT_AUTH_FAILED, MessageService.getTextMessage(MessageId.AUTH_INVALID));
}
// to its implementation here, since it will always be present.
if (authenticationService instanceof NoneAuthenticationServiceImpl)
usingNoneAuth = true;
}
Also used :
SQLWarning(java.sql.SQLWarning)
StandardException(org.apache.derby.shared.common.error.StandardException)
NoneAuthenticationServiceImpl(org.apache.derby.impl.jdbc.authentication.NoneAuthenticationServiceImpl)
AuthenticationService(org.apache.derby.iapi.jdbc.AuthenticationService)
Aggregations
AuthenticationService (org.apache.derby.iapi.jdbc.AuthenticationService)2
StandardException (org.apache.derby.shared.common.error.StandardException)2
SQLException (java.sql.SQLException)1
SQLWarning (java.sql.SQLWarning)1
NoneAuthenticationServiceImpl (org.apache.derby.impl.jdbc.authentication.NoneAuthenticationServiceImpl)1
