When user authentication is enabled (which it is not by default), the user requesting a connection must provide a valid name and password, which verifies against the repository of users defined for the system. After authenticates the user, it grants the user access to the system but not necessarily access to the database made in the connection request. In the system, access to a database is determined by user authorization.

For user authentication, allows you to provide a repository of users in a number of different ways. For example, you can hook up to an external directory service elsewhere in your enterprise, create your own directory service, or use 's simple mechanism for creating a built-in repository of users.

You can define a repository of users for a particular database or for an entire system, depending on whether you use system-wide or database-wide properties.

When user authentication is enabled and uses an external directory service, the architecture looks something like that shown in the following figure. The application can be a single-user application with an embedded engine or a multi-user application server.

This figure shows how an application passes Derby user authentication through an external directory service before access to a Derby database is allowed.

always runs embedded in another Java application, whether that application is a single-user application or a multiple-user application server or connectivity framework.

A database can be accessed by only one JVM at a time, so it is possible to deploy a system in which the application in which is embedded, not , handles the user authentication by connecting to an external directory service. The application can be a single-user application with an embedded engine or a multi-user application server. The following figure shows this kind of deployment.

This figure shows how an external directory service provides application user authentication before access to a Derby database is allowed.