Skip to content

Commit

Permalink
DERBY-4483: Provide a way to change the hash algorithm used by BUILTI…
Browse files Browse the repository at this point in the history
…N authentication

Make fresh databases use the new authentication scheme with SHA-256 by default.


git-svn-id: https://svn.apache.org/repos/asf/db/derby/code/trunk@927368 13f79535-47bb-0310-9956-ffa450edef68
  • Loading branch information
kahatlen committed Mar 25, 2010
1 parent 3b82686 commit 8c305e2
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 3 deletions.
7 changes: 7 additions & 0 deletions java/engine/org/apache/derby/iapi/reference/Property.java
Expand Up @@ -718,6 +718,13 @@ release. New databases and existing databases (in Derby 10.2) still use legacy
public static final String AUTHENTICATION_BUILTIN_ALGORITHM =
"derby.authentication.builtin.algorithm";

/**
* Default value for derby.authentication.builtin.algorithm when creating
* a new database.
*/
public static final String AUTHENTICATION_BUILTIN_ALGORITHM_DEFAULT =
"SHA-256";

/*
** Log
*/
Expand Down
Expand Up @@ -761,6 +761,13 @@ public void boot(boolean create, Properties startParams)
bootingTC.setProperty(Property.SQL_AUTHORIZATION_PROPERTY,"true",true);
usesSqlAuthorization=true;
}

// Set default hash algorithm used to protect passwords stored
// in the database for BUILTIN authentication.
bootingTC.setProperty(
Property.AUTHENTICATION_BUILTIN_ALGORITHM,
Property.AUTHENTICATION_BUILTIN_ALGORITHM_DEFAULT,
false);
} else {
// Get the ids for non-core tables
loadDictionaryTables(bootingTC, ddg, startParams);
Expand Down
Expand Up @@ -1106,7 +1106,9 @@ private void assertDerby1080Fixed(String expectedValue)
*
* We want to test a combination of USRSSBPWD with BUILTIN as password
* substitute is only supported with NONE or BUILTIN Derby authentication
* scheme right now (DERBY-528).
* scheme right now (DERBY-528). Also, it doesn't work if passwords are
* hashed with the configurable hash authentication scheme (DERBY-4483)
* before they are stored in the database, so we'll need to disable that.
*
* @throws Exception if there an unexpected error
*/
Expand All @@ -1122,6 +1124,12 @@ private void assertUSRSSBPWD_with_BUILTIN(String[] expectedValues)
CallableStatement cs = conn.prepareCall(
"CALL SYSCS_UTIL.SYSCS_SET_DATABASE_PROPERTY(?, ?)");

// First, disable the configurable hash authentication scheme so that
// passwords are stored using the old hash algorithm.
cs.setString(1, "derby.authentication.builtin.algorithm");
cs.setString(2, null);
cs.execute();

cs.setString(1, "derby.user.neelima");
cs.setString(2, "lee");
cs.execute();
Expand Down
Expand Up @@ -116,6 +116,9 @@ public static Test baseSuite(String name) {
test = new AuthenticationTest("testSystemShutdown");
setBaseProps(suite, test);

test = new AuthenticationTest("testDefaultHashAlgorithm");
setBaseProps(suite, test);

// The test cases below test the configurable hash authentication
// mechanism added in DERBY-4483. Set the property that specifies the
// hash algorithm to some valid value for these tests. Not all tests
Expand Down Expand Up @@ -1097,6 +1100,15 @@ public void testSystemShutdown() throws SQLException
openDefaultConnection("system", "admin").close(); // just so teardown works.
}

/**
* DERBY-4483: Test that the database by default has the configurable
* hash authentication scheme enabled.
*/
public void testDefaultHashAlgorithm() throws SQLException {
// SHA-256 should be the default hash algorithm now
assertEquals("SHA-256", getDatabaseProperty(BUILTIN_ALGO_PROP));
}

/**
* DERBY-4483: Test that setting the property
* {@code derby.authentication.builtin.algorithm} changes which hash
Expand Down
Expand Up @@ -70,7 +70,10 @@ public class Changes10_6 extends UpgradeChange {

private static final String CREATE_TYPE_DDL = "create type fooType external name 'mypackage.foo' language java\n";
private static final String DROP_TYPE_DDL = "drop type fooType restrict\n";


private static final String HASH_ALGORITHM_PROPERTY =
"derby.authentication.builtin.algorithm";

public Changes10_6(String name) {
super(name);
}
Expand Down Expand Up @@ -320,6 +323,18 @@ private int getMaximumWidth( Object typeDescriptor )
return ((Integer) meth.invoke( typeDescriptor, null )).intValue();
}

/**
* Verify that we don't enable the configurable hash authentication
* scheme when we upgrade a database. See DERBY-4483.
*/
public void testBuiltinAuthenticationHashNotChangedOnUpgrade()
throws SQLException {
// We enable the configurable hash authentication scheme by setting
// a property, so check that it's NULL in all phases to verify that
// it's not enabled on upgrade.
assertNull(getDatabaseProperty(HASH_ALGORITHM_PROPERTY));
}

/**
* Make sure builtin authentication only uses the new configurable hash
* scheme in hard-upgraded databases. See DERBY-4483.
Expand Down Expand Up @@ -418,7 +433,7 @@ private void setPasswords(CallableStatement cs) throws SQLException {
for (int i = 0; i < USERS.length; i++) {
// Use the specified algorithm, if possible. (Will be ignored if
// the data dictionary doesn't support the new scheme.)
cs.setString(1, "derby.authentication.builtin.algorithm");
cs.setString(1, HASH_ALGORITHM_PROPERTY);
cs.setString(2, USERS[i][2]);
cs.execute();
// Set the password.
Expand Down

0 comments on commit 8c305e2

Please sign in to comment.