provides support for
user authentication and user authorization. User authentication
determines whether a user is a valid user. It establishes the user's identity.
User authorization determines what operations a user's established
identity can perform. You are strongly urged to implement both authentication
and authorization on any multi-user database used in production.
When user authentication is enabled,
the user that requests a connection must provide a valid name and password,
which verifies against
the repository of users defined for the system. After
authenticates the user
as valid, user
authorization determines what operations the user can perform on the
database to which the user is requesting a connection.
supports three
kinds of authentication schemes:
- LDAP
- In this scheme, the customer points
at an external LDAP
directory service. The customer manages users with the external LDAP service,
and retrieves
credentials from LDAP. See
for more
information.
- NATIVE
- In this scheme, user names and passwords are stored in a
database. See
for details.
- User-defined
- In this scheme, the customer provides all of the logic needed to
authenticate users. See for more
information.
You can define a repository of users for a particular database or for an
entire system, depending on whether you use system-wide or database-wide
properties.
A directory service stores names and attributes of those names. A typical use
for a directory service is to store user names and passwords for a computer
system. uses the Java
Naming and Directory Interface (JNDI) to interact with external directory
services that can provide authentication of users' names and passwords.
When user
authentication is enabled and
uses
an external directory service, the architecture looks something like that
shown in the following figure. The application can be a single-user application
with an embedded engine
or a multi-user application server.
user authentication using an external service
This figure shows how an application passes Derby user authentication through an external directory service before access to a Derby database is allowed.
always runs embedded
in another Java application, whether that application is a single-user application
or a multiple-user application server or connectivity framework.
A database can be accessed by only one JVM at a time, so it is possible
to deploy a system in which the application in which is
embedded, not , handles
the user authentication by connecting to an external directory service. The
application can be a single-user application with an embedded
engine or a multi-user
application server. The following figure shows this kind of deployment.
Application user authentication using an external
service
This figure shows how an external directory service provides application user authentication before access to a Derby database is allowed.