JDBC-537 Remove Legacy_Auth from default list of authentication plugins

FirebirdSQL · Jul 22, 2018 · 4bc439d · 4bc439d
1 parent 96190e1
commit 4bc439d
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 15 deletions.
diff --git a/src/documentation/release_notes.md b/src/documentation/release_notes.md
@@ -407,16 +407,14 @@ applies the SHA-NNN hash. See also [CORE-5788](http://tracker.firebirdsql.org/br
 
 Be aware, support for these plugins depends on support of these hash algorithms 
 in the JVM. For example, SHA-224 is not supported in Oracle Java 7 by default 
-and maybe require additional JCE libraries.
+and may require additional JCE libraries.
 
 ### Default authentication plugins ###
 
-_TODO_: Remove Legacy_Auth from default?
-
-The default plugins applied by Jaybird are now - in order - `Srp256`, `Srp` and 
-`Legacy_Auth`. This applies only for the pure Java protocol. The native 
-implementation will use its own default or the value configured through its 
-`firebird.conf`. 
+The default plugins applied by Jaybird are now - in order - `Srp256`, `Srp`. 
+This applies only for the pure Java protocol and only when connecting to 
+Firebird 3 or higher. The native implementation will use its own default or the 
+value configured through its `firebird.conf`. 
 
 When connecting to Firebird 3 versions earlier than 3.0.4, or if `Srp256` has 
 been removed from the `AuthServer` setting in Firebird, this might result in 
@@ -426,6 +424,12 @@ the attempt to use `Srp256` fails, authentication continues with `Srp`.
 To avoid this, consider explicitly configuring the authentication plugins to 
 use, see [Configure authentication plugins] for details.
 
+When connecting to Firebird 3 or higher, the pure Java protocol in Jaybird will 
+no longer try the `Legacy_Auth` plugin by default as it is an unsafe 
+authentication mechanism. We strongly suggest to use SRP users only, but if you 
+really need to use legacy authentication, you can specify connection property 
+`authPlugins=Legacy_Auth`, see [Configure authentication plugins] for details.
+
 Firebird 2.5 and earlier are not affected and will always use legacy 
 authentication.
 
@@ -458,9 +462,13 @@ version 2.5 or earlier.
 
 Examples:
 
--   JDBC URL to connect using `Srp256`-only:
+-   JDBC URL to connect using `Srp256` only:
 
         jdbc:firebirdsql://localhost/employee?authPlugins=Srp256
+        
+-   JDBC URL to connect using `Legacy_Auth` only (this is unsafe!)
+
+        jdbc:firebirdsql://localhost/employee?authPlugins=Legacy_Auth
 
 -   JDBC URL to try `Legacy_Auth` before `Srp512` (this order is unsafe!)
 
@@ -557,7 +565,7 @@ applied:
 
 -   Zero values can have a non-zero exponent, and if the exponent is out of 
 range, the exponent value is 'clamped' to the minimum or maximum exponent
-supported. This behavior is subject to change, and future release may
+supported. This behavior is subject to change, and future releases may
 'round' to exact `0` (or `0E0`)
 
 -   Values with a precision larger than the target precision are rounded to the 
@@ -921,6 +929,14 @@ expect the driver to remain functional, but chances are certain metadata (eg
 In general we will no longer fix issues that only occur with Firebird 2.1 or
 earlier.
 
+Removed Legacy_Auth from default authentication plugins
+-------------------------------------------------------
+
+The pure Java protocol in Jaybird will - by default - no longer try the 
+`Legacy_Auth` plugin when connecting to Jaybird 3 or higher.
+
+See [Default authentication plugins] for more information.
+
 RDB$DB_KEY columns no longer of Types.BINARY
 --------------------------------------------
 
@@ -931,8 +947,8 @@ the exception of `getObject`, which will return a `java.sql.RowId` instead.
 
 Unfortunately this does not apply to parameters, see also [JDBC RowId support].
 
-Due to the method of identification, real columns of type `char character set 
-octets` with the name `DB_KEY` will also be identified as a `ROWID` column.
+Due to the method of identification, real columns of type `char character set octets` 
+with the name `DB_KEY` will also be identified as a `ROWID` column.
 
 Removal of character mapping
 ----------------------------

diff --git a/src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java b/src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java
@@ -52,7 +52,7 @@ public final class ClientAuthBlock {
     private static final Logger log = LoggerFactory.getLogger(ClientAuthBlock.class);
 
     private static final Pattern AUTH_PLUGIN_LIST_SPLIT = Pattern.compile("[ \t,;]+");
-    private static final String DEFAULT_AUTH_PLUGINS = "Srp256,Srp,Legacy_Auth";
+    private static final String DEFAULT_AUTH_PLUGINS = "Srp256,Srp";
     private static final Map<String, AuthenticationPluginSpi> PLUGIN_MAPPING = getAvailableAuthenticationPlugins();
 
     private final IAttachProperties<?> attachProperties;

diff --git a/src/test/org/firebirdsql/gds/ng/wire/version13/TestV13Authentication.java b/src/test/org/firebirdsql/gds/ng/wire/version13/TestV13Authentication.java
@@ -78,6 +78,7 @@ public void authenticateDatabaseUsingLegacyAuth() throws Exception {
         Properties connectionProperties = getDefaultPropertiesForConnection();
         connectionProperties.setProperty("user", username);
         connectionProperties.setProperty("password", password);
+        connectionProperties.setProperty("authPlugins", "Legacy_Auth");
         try (Connection connection = DriverManager.getConnection(getUrl(), connectionProperties);
              Statement statement = connection.createStatement();
              ResultSet resultSet = statement.executeQuery(
@@ -104,6 +105,7 @@ public void authenticateServiceUsingLegacyAuth() throws Exception {
         fbServiceManager.setPort(FBTestProperties.DB_SERVER_PORT);
         fbServiceManager.setUser(username);
         fbServiceManager.setPassword(password);
+        fbServiceManager.setAuthPlugins("Legacy_Auth");
 
         final GDSServerVersion serverVersion = fbServiceManager.getServerVersion();
 

diff --git a/src/test/org/firebirdsql/jdbc/FBConnectionTest.java b/src/test/org/firebirdsql/jdbc/FBConnectionTest.java
@@ -45,6 +45,7 @@
 
 import static org.firebirdsql.common.DdlHelper.executeCreateTable;
 import static org.firebirdsql.common.FBTestProperties.*;
+import static org.firebirdsql.common.matchers.GdsTypeMatchers.isPureJavaType;
 import static org.firebirdsql.common.matchers.SQLExceptionMatchers.errorCodeEquals;
 import static org.firebirdsql.common.matchers.SQLExceptionMatchers.fbMessageStartsWith;
 import static org.firebirdsql.util.FirebirdSupportInfo.supportInfoFor;
@@ -640,6 +641,7 @@ public void legacyAuthUserWithWireCrypt_ENABLED_canCreateConnection() throws Exc
         props.setProperty("user", user);
         props.setProperty("password", password);
         props.setProperty("wireCrypt", "ENABLED");
+        props.setProperty("authPlugins", "Legacy_Auth");
 
         try (Connection connection = DriverManager.getConnection(getUrl(), props)) {
             assertTrue(connection.isValid(0));
@@ -651,7 +653,7 @@ public void legacyAuthUserWithWireCrypt_ENABLED_canCreateConnection() throws Exc
     }
 
     @Test
-    public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected() throws Exception {
+    public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected_tryLegacy_AuthOnly() throws Exception {
         assumeTrue("Test for Firebird versions with wire encryption support",
                 getDefaultSupportInfo().supportsWireEncryption());
         final String user = "legacy_auth";
@@ -661,11 +663,39 @@ public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected() throws
         props.setProperty("user", user);
         props.setProperty("password", password);
         props.setProperty("wireCrypt", "REQUIRED");
+        // Using only Legacy_Auth produces different error than trying Srp and then Legacy_Auth
+        props.setProperty("authPlugins", "Legacy_Auth");
+
+        expectedException.expect(FBSQLEncryptException.class);
+        expectedException.expect(errorCodeEquals(ISCConstants.isc_miss_wirecrypt));
+
+        //noinspection EmptyTryBlock
+        try (Connection connection = DriverManager.getConnection(getUrl(), props)) {
+            // Using try-with-resources just in case connection is created
+        }
+    }
+
+    @Test
+    public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected_trySrpFirst() throws Exception {
+        assumeTrue("Test for Firebird versions with wire encryption support",
+                getDefaultSupportInfo().supportsWireEncryption());
+        final String user = "legacy_auth";
+        final String password = "leg_auth";
+        databaseUserRule.createUser(user, password, "Legacy_UserManager");
+        Properties props = getDefaultPropertiesForConnection();
+        props.setProperty("user", user);
+        props.setProperty("password", password);
+        props.setProperty("wireCrypt", "REQUIRED");
+        // Using only Legacy_Auth produces different error than trying Srp and then Legacy_Auth
+        props.setProperty("authPlugins", "Srp,Legacy_Auth");
 
         expectedException.expect(FBSQLEncryptException.class);
         expectedException.expect(errorCodeEquals(ISCConstants.isc_wirecrypt_incompatible));
 
-        DriverManager.getConnection(getUrl(), props);
+        //noinspection EmptyTryBlock
+        try (Connection connection = DriverManager.getConnection(getUrl(), props)) {
+            // Using try-with-resources just in case connection is created
+        }
     }
 
     @Test
@@ -678,7 +708,10 @@ public void invalidValueForWireCrypt() throws Exception {
                 errorCodeEquals(JaybirdErrorCodes.jb_invalidConnectionPropertyValue),
                 fbMessageStartsWith(JaybirdErrorCodes.jb_invalidConnectionPropertyValue, "NOT_A_VALID_VALUE", "wireCrypt")));
 
-        DriverManager.getConnection(getUrl(), props);
+        //noinspection EmptyTryBlock
+        try (Connection connection = DriverManager.getConnection(getUrl(), props)) {
+            // Using try-with-resources just in case connection is created
+        }
     }
 
     @Test
@@ -709,4 +742,27 @@ public void connectingWithUnknownJavaCharacterSetName() throws Exception {
             // Using try-with-resources just in case connection is created
         }
     }
+
+    @Test
+    public void legacyAuthUserCannotConnectByDefault() throws Exception {
+        assumeThat("Test assumes pure Java implementation (native uses fbclient defaults)",
+                FBTestProperties.GDS_TYPE, isPureJavaType());
+        assumeTrue("Test for Firebird versions with v13 or higher protocol",
+                getDefaultSupportInfo().supportsProtocol(13));
+        final String user = "legacy_auth";
+        final String password = "leg_auth";
+        databaseUserRule.createUser(user, password, "Legacy_UserManager");
+        Properties props = getDefaultPropertiesForConnection();
+        props.setProperty("user", user);
+        props.setProperty("password", password);
+
+        // We don't try Legacy_Auth by default
+        expectedException.expect(SQLInvalidAuthorizationSpecException.class);
+        expectedException.expect(errorCodeEquals(ISCConstants.isc_login));
+
+        //noinspection EmptyTryBlock
+        try (Connection connection = DriverManager.getConnection(getUrl(), props)) {
+            // Using try-with-resources just in case connection is created
+        }
+    }
 }