diff --git a/src/documentation/release_notes.md b/src/documentation/release_notes.md index ea8917218e..c4596629c9 100644 --- a/src/documentation/release_notes.md +++ b/src/documentation/release_notes.md @@ -407,16 +407,14 @@ applies the SHA-NNN hash. See also [CORE-5788](http://tracker.firebirdsql.org/br Be aware, support for these plugins depends on support of these hash algorithms in the JVM. For example, SHA-224 is not supported in Oracle Java 7 by default -and maybe require additional JCE libraries. +and may require additional JCE libraries. ### Default authentication plugins ### -_TODO_: Remove Legacy_Auth from default? - -The default plugins applied by Jaybird are now - in order - `Srp256`, `Srp` and -`Legacy_Auth`. This applies only for the pure Java protocol. The native -implementation will use its own default or the value configured through its -`firebird.conf`. +The default plugins applied by Jaybird are now - in order - `Srp256`, `Srp`. +This applies only for the pure Java protocol and only when connecting to +Firebird 3 or higher. The native implementation will use its own default or the +value configured through its `firebird.conf`. When connecting to Firebird 3 versions earlier than 3.0.4, or if `Srp256` has been removed from the `AuthServer` setting in Firebird, this might result in @@ -426,6 +424,12 @@ the attempt to use `Srp256` fails, authentication continues with `Srp`. To avoid this, consider explicitly configuring the authentication plugins to use, see [Configure authentication plugins] for details. +When connecting to Firebird 3 or higher, the pure Java protocol in Jaybird will +no longer try the `Legacy_Auth` plugin by default as it is an unsafe +authentication mechanism. We strongly suggest to use SRP users only, but if you +really need to use legacy authentication, you can specify connection property +`authPlugins=Legacy_Auth`, see [Configure authentication plugins] for details. + Firebird 2.5 and earlier are not affected and will always use legacy authentication. @@ -458,9 +462,13 @@ version 2.5 or earlier. Examples: -- JDBC URL to connect using `Srp256`-only: +- JDBC URL to connect using `Srp256` only: jdbc:firebirdsql://localhost/employee?authPlugins=Srp256 + +- JDBC URL to connect using `Legacy_Auth` only (this is unsafe!) + + jdbc:firebirdsql://localhost/employee?authPlugins=Legacy_Auth - JDBC URL to try `Legacy_Auth` before `Srp512` (this order is unsafe!) @@ -557,7 +565,7 @@ applied: - Zero values can have a non-zero exponent, and if the exponent is out of range, the exponent value is 'clamped' to the minimum or maximum exponent -supported. This behavior is subject to change, and future release may +supported. This behavior is subject to change, and future releases may 'round' to exact `0` (or `0E0`) - Values with a precision larger than the target precision are rounded to the @@ -921,6 +929,14 @@ expect the driver to remain functional, but chances are certain metadata (eg In general we will no longer fix issues that only occur with Firebird 2.1 or earlier. +Removed Legacy_Auth from default authentication plugins +------------------------------------------------------- + +The pure Java protocol in Jaybird will - by default - no longer try the +`Legacy_Auth` plugin when connecting to Jaybird 3 or higher. + +See [Default authentication plugins] for more information. + RDB$DB_KEY columns no longer of Types.BINARY -------------------------------------------- @@ -931,8 +947,8 @@ the exception of `getObject`, which will return a `java.sql.RowId` instead. Unfortunately this does not apply to parameters, see also [JDBC RowId support]. -Due to the method of identification, real columns of type `char character set -octets` with the name `DB_KEY` will also be identified as a `ROWID` column. +Due to the method of identification, real columns of type `char character set octets` +with the name `DB_KEY` will also be identified as a `ROWID` column. Removal of character mapping ---------------------------- diff --git a/src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java b/src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java index 514703002d..37cd78d252 100644 --- a/src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java +++ b/src/main/org/firebirdsql/gds/ng/wire/auth/ClientAuthBlock.java @@ -52,7 +52,7 @@ public final class ClientAuthBlock { private static final Logger log = LoggerFactory.getLogger(ClientAuthBlock.class); private static final Pattern AUTH_PLUGIN_LIST_SPLIT = Pattern.compile("[ \t,;]+"); - private static final String DEFAULT_AUTH_PLUGINS = "Srp256,Srp,Legacy_Auth"; + private static final String DEFAULT_AUTH_PLUGINS = "Srp256,Srp"; private static final Map PLUGIN_MAPPING = getAvailableAuthenticationPlugins(); private final IAttachProperties attachProperties; diff --git a/src/test/org/firebirdsql/gds/ng/wire/version13/TestV13Authentication.java b/src/test/org/firebirdsql/gds/ng/wire/version13/TestV13Authentication.java index 11ff5fb293..b2965b46fd 100644 --- a/src/test/org/firebirdsql/gds/ng/wire/version13/TestV13Authentication.java +++ b/src/test/org/firebirdsql/gds/ng/wire/version13/TestV13Authentication.java @@ -78,6 +78,7 @@ public void authenticateDatabaseUsingLegacyAuth() throws Exception { Properties connectionProperties = getDefaultPropertiesForConnection(); connectionProperties.setProperty("user", username); connectionProperties.setProperty("password", password); + connectionProperties.setProperty("authPlugins", "Legacy_Auth"); try (Connection connection = DriverManager.getConnection(getUrl(), connectionProperties); Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery( @@ -104,6 +105,7 @@ public void authenticateServiceUsingLegacyAuth() throws Exception { fbServiceManager.setPort(FBTestProperties.DB_SERVER_PORT); fbServiceManager.setUser(username); fbServiceManager.setPassword(password); + fbServiceManager.setAuthPlugins("Legacy_Auth"); final GDSServerVersion serverVersion = fbServiceManager.getServerVersion(); diff --git a/src/test/org/firebirdsql/jdbc/FBConnectionTest.java b/src/test/org/firebirdsql/jdbc/FBConnectionTest.java index 1932609337..daf7d424d2 100644 --- a/src/test/org/firebirdsql/jdbc/FBConnectionTest.java +++ b/src/test/org/firebirdsql/jdbc/FBConnectionTest.java @@ -45,6 +45,7 @@ import static org.firebirdsql.common.DdlHelper.executeCreateTable; import static org.firebirdsql.common.FBTestProperties.*; +import static org.firebirdsql.common.matchers.GdsTypeMatchers.isPureJavaType; import static org.firebirdsql.common.matchers.SQLExceptionMatchers.errorCodeEquals; import static org.firebirdsql.common.matchers.SQLExceptionMatchers.fbMessageStartsWith; import static org.firebirdsql.util.FirebirdSupportInfo.supportInfoFor; @@ -640,6 +641,7 @@ public void legacyAuthUserWithWireCrypt_ENABLED_canCreateConnection() throws Exc props.setProperty("user", user); props.setProperty("password", password); props.setProperty("wireCrypt", "ENABLED"); + props.setProperty("authPlugins", "Legacy_Auth"); try (Connection connection = DriverManager.getConnection(getUrl(), props)) { assertTrue(connection.isValid(0)); @@ -651,7 +653,7 @@ public void legacyAuthUserWithWireCrypt_ENABLED_canCreateConnection() throws Exc } @Test - public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected() throws Exception { + public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected_tryLegacy_AuthOnly() throws Exception { assumeTrue("Test for Firebird versions with wire encryption support", getDefaultSupportInfo().supportsWireEncryption()); final String user = "legacy_auth"; @@ -661,11 +663,39 @@ public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected() throws props.setProperty("user", user); props.setProperty("password", password); props.setProperty("wireCrypt", "REQUIRED"); + // Using only Legacy_Auth produces different error than trying Srp and then Legacy_Auth + props.setProperty("authPlugins", "Legacy_Auth"); + + expectedException.expect(FBSQLEncryptException.class); + expectedException.expect(errorCodeEquals(ISCConstants.isc_miss_wirecrypt)); + + //noinspection EmptyTryBlock + try (Connection connection = DriverManager.getConnection(getUrl(), props)) { + // Using try-with-resources just in case connection is created + } + } + + @Test + public void legacyAuthUserWithWireCrypt_REQUIRED_hasConnectionRejected_trySrpFirst() throws Exception { + assumeTrue("Test for Firebird versions with wire encryption support", + getDefaultSupportInfo().supportsWireEncryption()); + final String user = "legacy_auth"; + final String password = "leg_auth"; + databaseUserRule.createUser(user, password, "Legacy_UserManager"); + Properties props = getDefaultPropertiesForConnection(); + props.setProperty("user", user); + props.setProperty("password", password); + props.setProperty("wireCrypt", "REQUIRED"); + // Using only Legacy_Auth produces different error than trying Srp and then Legacy_Auth + props.setProperty("authPlugins", "Srp,Legacy_Auth"); expectedException.expect(FBSQLEncryptException.class); expectedException.expect(errorCodeEquals(ISCConstants.isc_wirecrypt_incompatible)); - DriverManager.getConnection(getUrl(), props); + //noinspection EmptyTryBlock + try (Connection connection = DriverManager.getConnection(getUrl(), props)) { + // Using try-with-resources just in case connection is created + } } @Test @@ -678,7 +708,10 @@ public void invalidValueForWireCrypt() throws Exception { errorCodeEquals(JaybirdErrorCodes.jb_invalidConnectionPropertyValue), fbMessageStartsWith(JaybirdErrorCodes.jb_invalidConnectionPropertyValue, "NOT_A_VALID_VALUE", "wireCrypt"))); - DriverManager.getConnection(getUrl(), props); + //noinspection EmptyTryBlock + try (Connection connection = DriverManager.getConnection(getUrl(), props)) { + // Using try-with-resources just in case connection is created + } } @Test @@ -709,4 +742,27 @@ public void connectingWithUnknownJavaCharacterSetName() throws Exception { // Using try-with-resources just in case connection is created } } + + @Test + public void legacyAuthUserCannotConnectByDefault() throws Exception { + assumeThat("Test assumes pure Java implementation (native uses fbclient defaults)", + FBTestProperties.GDS_TYPE, isPureJavaType()); + assumeTrue("Test for Firebird versions with v13 or higher protocol", + getDefaultSupportInfo().supportsProtocol(13)); + final String user = "legacy_auth"; + final String password = "leg_auth"; + databaseUserRule.createUser(user, password, "Legacy_UserManager"); + Properties props = getDefaultPropertiesForConnection(); + props.setProperty("user", user); + props.setProperty("password", password); + + // We don't try Legacy_Auth by default + expectedException.expect(SQLInvalidAuthorizationSpecException.class); + expectedException.expect(errorCodeEquals(ISCConstants.isc_login)); + + //noinspection EmptyTryBlock + try (Connection connection = DriverManager.getConnection(getUrl(), props)) { + // Using try-with-resources just in case connection is created + } + } }