Using SSL/TLS is strongly recommended for production
applications. Use the properties only under unusual circumstances.
When you run in
embedded mode or when you use the
Network Server, you can
enable or disable server-side user authentication. (Enabling user authentication
is strongly recommended.) However, when you use the Network Server, the default
security mechanism (CLEAR_TEXT_PASSWORD_SECURITY) requires that
you supply both the user name and password.
In addition to the default user name and password security mechanism,
org.apache.derby.jdbc.ClientDataSource.CLEAR_TEXT_PASSWORD_SECURITY,
Network Server supports
the following security properties:
- UserID: org.apache.derby.jdbc.ClientDataSource.USER_ONLY_SECURITY
When you use this mechanism, you must specify only the user
property. All other mechanisms require you to specify both the user name and the
password.
- Encrypted UserID and encrypted password:
org.apache.derby.jdbc.ClientDataSource.ENCRYPTED_USER_AND_PASSWORD_SECURITY
When you use this mechanism, both password and user id are encrypted.
The user name that is specified upon connection is the default schema for the
connection, if a schema with that name exists. See the
for more information on schema
and user names.
If you specify any other security mechanism, you will receive an
exception.
To change the default, you can specify another security mechanism either as a
property or on the URL (using the securityMechanism=value
attribute) when you make the connection. For details, see
and
"securityMechanism=value attribute" in the
.
Whether the security mechanism you specify for the client actually takes
effect depends upon the setting of the
derby.drda.securityMechanism property for the Network Server.
If the derby.drda.securityMechanism property is set, the
Network Server accepts only connections that use the security mechanism
specified by the property setting. If the
derby.drda.securityMechanism property is not set, clients can
use any valid security mechanism. For details, see
"derby.drda.securityMechanism property" in the
.
Security mechanism options when user authentication is enabled on the
Network Server
When user authentication is enabled in
, you can use either of
the following security mechanisms.
- Clear text user name and password security, the default
- Encrypted user name and password security
Security mechanism options when user authentication is disabled
on the Network Server
When user authentication is turned off in
, you can use any of the
security mechanism options.
You must provide a user and password for all security mechanisms except
USER_ONLY_SECURITY. However, because user authentication is
disabled in the server,
the user name and password that you supply do not have to be among those
recognized as valid by
.
Enabling the encrypted user ID and password security
mechanism
To use the encrypted user ID and password security mechanism, you need a Java
environment with a JCE (Java Cryptography Extension) that supports the
Diffie-Hellman algorithm with a public prime of 256 bits.
The Java Platform, Standard Edition (Java SE) requires a public prime of
512 bits or more.
To use the encrypted user id and password security mechanism during
JDBC connection using the network client, specify the
securityMechanism=value connection property.
If an encrypted database is booted in the Network Server, users can
connect to the database without giving the bootPassword. The
first connection to the database must provide the bootPassword,
but all subsequent connections do not need to supply it. To remove access
from the encrypted database, use the shutdown=true option
to shut down the database. See for
more information.