« Return to Thread: extend user authentication for storing user roles
Re: extend user authentication for storing user roles
by Damian Hofmann
::
Rate this Message:
Hi Rick,
That sounds interesting. I'll read more about user-defined authenticators.
Thanks
Damian
Rick Hillegas wrote:
> Hi Damian,
>
> You may be able to get what you want by doing the following:
>
> 1) Create a table which stores credentials and roles, as you've described
>
> 2) Write a user-defined authenticator, which uses that table in order
> to perform database-side authentication
>
> Plugging in a user-defined authenticator should be easy. You need to
> write a class which implements
> org.apache.derby.authentication.UserAuthenticator. This is described
> in the Developer's Guide:
> http://db.apache.org/derby/docs/10.5/devguide/devguide-single.html#cdevcsecure42374
> Just scroll down to the section which shows an "Example of setting a
> user-defined class".
>
> Hope this helps,
> -Rick
>
> Damian Hofmann wrote:
>> Hi
>>
>> I'm new to derby an have a question about extending user authentication.
>>
>> I'm developing a multiuser rich client application that connects
>> directly to a derby server. The clients should authenticate
>> themselves via user name and password. Business logic requires, that
>> each user is given a user role. The user role tells the client, what
>> features the user may use and what features aren't permitted. My
>> current idea is, to create a user table with user name, password-hash
>> and user-role. This should work fine for users, that only use the
>> client application.
>>
>> But I think there is a problem with this. The whole
>> authentication-logic only exists in the clients. The server still
>> isn't protected. Anyone with some knowledge about SQL can connect the
>> database server and do anything, ignoring the user permissions
>> completely. From the developers guide I've learned, that derby offers
>> an authentication mechanism to authenticate users to the database
>> system. This should prevent this scenario.
>>
>> I don't know how to best combine derby's user authentication with my
>> user roles table. Is there a way to extend the user authentication in
>> a way, not only user name and password are stored, but also
>> additional data? Or do you see another (better) way to satisfy both
>> requirements? Do I realy have to manage two sets of user data?
>>
>> Thanks for your advise
>> Damian
>>
>>
>
That sounds interesting. I'll read more about user-defined authenticators.
Thanks
Damian
Rick Hillegas wrote:
> Hi Damian,
>
> You may be able to get what you want by doing the following:
>
> 1) Create a table which stores credentials and roles, as you've described
>
> 2) Write a user-defined authenticator, which uses that table in order
> to perform database-side authentication
>
> Plugging in a user-defined authenticator should be easy. You need to
> write a class which implements
> org.apache.derby.authentication.UserAuthenticator. This is described
> in the Developer's Guide:
> http://db.apache.org/derby/docs/10.5/devguide/devguide-single.html#cdevcsecure42374
> Just scroll down to the section which shows an "Example of setting a
> user-defined class".
>
> Hope this helps,
> -Rick
>
> Damian Hofmann wrote:
>> Hi
>>
>> I'm new to derby an have a question about extending user authentication.
>>
>> I'm developing a multiuser rich client application that connects
>> directly to a derby server. The clients should authenticate
>> themselves via user name and password. Business logic requires, that
>> each user is given a user role. The user role tells the client, what
>> features the user may use and what features aren't permitted. My
>> current idea is, to create a user table with user name, password-hash
>> and user-role. This should work fine for users, that only use the
>> client application.
>>
>> But I think there is a problem with this. The whole
>> authentication-logic only exists in the clients. The server still
>> isn't protected. Anyone with some knowledge about SQL can connect the
>> database server and do anything, ignoring the user permissions
>> completely. From the developers guide I've learned, that derby offers
>> an authentication mechanism to authenticate users to the database
>> system. This should prevent this scenario.
>>
>> I don't know how to best combine derby's user authentication with my
>> user roles table. Is there a way to extend the user authentication in
>> a way, not only user name and password are stored, but also
>> additional data? Or do you see another (better) way to satisfy both
>> requirements? Do I realy have to manage two sets of user data?
>>
>> Thanks for your advise
>> Damian
>>
>>
>
« Return to Thread: extend user authentication for storing user roles
| Free embeddable forum powered by Nabble | Forum Help |
