DERBY-4483: Provide a way to change the hash algorithm used by BUILTI…

…N authentication Added more information to error message for authentication failure with strong password substitution to indicate that it might have been caused by the use of a custom hash algorithm. git-svn-id: https://svn.apache.org/repos/asf/db/derby/code/trunk@927367 13f79535-47bb-0310-9956-ffa450edef68
apache · Mar 25, 2010 · 3b82686 · 3b82686
1 parent d1806d0
commit 3b82686
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 17 deletions.
diff --git a/java/engine/org/apache/derby/impl/jdbc/authentication/BasicAuthenticationServiceImpl.java b/java/engine/org/apache/derby/impl/jdbc/authentication/BasicAuthenticationServiceImpl.java
@@ -22,6 +22,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 package org.apache.derby.impl.jdbc.authentication;
 
 import org.apache.derby.iapi.reference.Attribute;
+import org.apache.derby.iapi.reference.SQLState;
 import org.apache.derby.authentication.UserAuthenticator;
 import org.apache.derby.iapi.services.property.PropertyUtil;
 import org.apache.derby.iapi.services.monitor.Monitor;
@@ -233,20 +234,24 @@ public boolean	authenticateUser(String userName,
             }
         }
 
-		if (definedUserPassword == null)
-			// no such user found
-			return false;
-
-		// check if the passwords match
-		if (!definedUserPassword.equals(passedUserPassword))
-			return false;
-
+        // Check if the passwords match.
 		// NOTE: We do not look at the passed-in database name value as
 		// we rely on the authorization service that was put in
 		// in 2.0 . (if a database name was passed-in)
+        boolean passwordsMatch =
+                (definedUserPassword != null) &&
+                definedUserPassword.equals(passedUserPassword);
+
+        // Provide extra information on mismatch if strong password
+        // substitution is used, since the problem may be that the stored
+        // password was stored using the configurable hash authentication
+        // scheme which is incompatible with strong password substitution.
+        if (!passwordsMatch && secMec == SECMEC_USRSSBPWD) {
+            throw Util.generateCsSQLException(
+                    SQLState.NET_CONNECT_SECMEC_INCOMPATIBLE_SCHEME);
+        }
 
-		// We do have a valid user
-		return true;
+        return passwordsMatch;
 	}
 
     /**

diff --git a/java/engine/org/apache/derby/loc/messages.xml b/java/engine/org/apache/derby/loc/messages.xml
@@ -415,6 +415,11 @@ Guide.
                 <arg>exceptionMsg</arg>
             </msg>
 
+            <msg>
+                <name>08004.C.12</name>
+                <text>Connection authentication failure occurred. Either the supplied credentials were invalid, or the database uses a password encryption scheme not compatible with the strong password substitution security mechanism. If this error started after upgrade, refer to the release note for DERBY-4483 for options.</text>
+            </msg>
+
             <msg>
                 <name>08006.C</name>
                 <text>A network protocol error was encountered and the connection has been terminated: {0}</text>

diff --git a/java/shared/org/apache/derby/shared/common/reference/SQLState.java b/java/shared/org/apache/derby/shared/common/reference/SQLState.java
@@ -1655,6 +1655,7 @@ public interface SQLState {
     String AUTH_DATABASE_CREATE_EXCEPTION                   = "08004.C.10";
     //DERBY-2109: new state/msg
     String AUTH_DATABASE_CREATE_MISSING_PERMISSION          = "08004.C.11";
+    String NET_CONNECT_SECMEC_INCOMPATIBLE_SCHEME           = "08004.C.12";
 
     // There can be multiple causes for 08003, which according
     // to SQL2003 spec means "connection does not exist"

diff --git a/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ErrorCodeTest.java b/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ErrorCodeTest.java
@@ -26,16 +26,9 @@
 
 import org.apache.derbyTesting.junit.BaseJDBCTestCase;
 import org.apache.derbyTesting.junit.TestConfiguration;
-import org.apache.derbyTesting.junit.Utilities;
 
-import java.sql.Connection;
 import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
-import java.sql.PreparedStatement;
 import java.sql.Statement;
-import java.sql.CallableStatement;
-import java.sql.SQLWarning;
-import java.sql.SQLException;
 import org.apache.derbyTesting.junit.JDBC;
 
 public final class ErrorCodeTest extends BaseJDBCTestCase {
@@ -127,6 +120,7 @@ public void test_errorcode() throws Exception
         		{"08004","Missing permission for user '{0}' to shutdown system [{1}].","40000"},
         		{"08004","Cannot check system permission to create database '{0}' [{1}].","40000"},
         		{"08004","Missing permission for user '{0}' to create database '{1}' [{2}].","40000"},
+        		{"08004","Connection authentication failure occurred. Either the supplied credentials were invalid, or the database uses a password encryption scheme not compatible with the strong password substitution security mechanism. If this error started after upgrade, refer to the release note for DERBY-4483 for options.","40000"},
         		{"08006","An error occurred during connect reset and the connection has been terminated.  See chained exceptions for details.","40000"},
         		{"08006","SocketException: '{0}'","40000"},
         		{"08006","A communications error has been detected: {0}.","40000"},