Authorization identifiers, user authentication, and user authorization

Authorization identifiers, user authentication, and user authorization When working with both user authentication and user authorization, you need to understand how user names are treated by each system. usersand schemas schemasand users

If you use an external authentication system such as LDAP, the conversion of the user's name to an authorization identifier happens after authentication has occurred but before user authorization has occurred. Imagine, for example, a user named Fred.

Within the user authentication system, Fred is known as FRed. Your external user authorization service is case-sensitive, so Fred must always type his name that way. Connection conn = DriverManager.getConnection( "jdbc:derby:myDB", "FRed", "flintstone");
Within the user authorization system, Fred becomes a case-insensitive authorization identifier. Fred is known as FRED.

Let's take a second example, where Fred has a slightly different name within the user authentication system.

Within the user authentication system, Fred is known as Fred!. You must now put double quotes around the name, because it is not a valid SQL92Identifier. ( knows to remove the double quotes when passing the name to the external authentication system.) Connection conn = DriverManager.getConnection( "jdbc:derby:myDB", "\"Fred!\"", "flintstone");
Within the user authorization system, Fred becomes a case-sensitive authorization identifier. Fred is known as Fred!.

As shown in the first example, your external authentication system may be case-sensitive, whereas the authorization identifier within may not be. If your authentication system allows two distinct users whose names differ by case, delimit all user names within the connection request to make all user names case-sensitive within the system. In addition, you must also delimit user names that do not conform to SQL92Identifier rules with double quotes.