From 3b82686e32a8d4fa2027350279104f9b243b35d6 Mon Sep 17 00:00:00 2001 From: Knut Anders Hatlen Date: Thu, 25 Mar 2010 12:26:42 +0000 Subject: [PATCH] DERBY-4483: Provide a way to change the hash algorithm used by BUILTIN authentication Added more information to error message for authentication failure with strong password substitution to indicate that it might have been caused by the use of a custom hash algorithm. git-svn-id: https://svn.apache.org/repos/asf/db/derby/code/trunk@927367 13f79535-47bb-0310-9956-ffa450edef68 --- .../BasicAuthenticationServiceImpl.java | 25 +++++++++++-------- java/engine/org/apache/derby/loc/messages.xml | 5 ++++ .../shared/common/reference/SQLState.java | 1 + .../tests/lang/ErrorCodeTest.java | 8 +----- 4 files changed, 22 insertions(+), 17 deletions(-) diff --git a/java/engine/org/apache/derby/impl/jdbc/authentication/BasicAuthenticationServiceImpl.java b/java/engine/org/apache/derby/impl/jdbc/authentication/BasicAuthenticationServiceImpl.java index 7994192a3a..0f1fce2f5d 100644 --- a/java/engine/org/apache/derby/impl/jdbc/authentication/BasicAuthenticationServiceImpl.java +++ b/java/engine/org/apache/derby/impl/jdbc/authentication/BasicAuthenticationServiceImpl.java @@ -22,6 +22,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more package org.apache.derby.impl.jdbc.authentication; import org.apache.derby.iapi.reference.Attribute; +import org.apache.derby.iapi.reference.SQLState; import org.apache.derby.authentication.UserAuthenticator; import org.apache.derby.iapi.services.property.PropertyUtil; import org.apache.derby.iapi.services.monitor.Monitor; @@ -233,20 +234,24 @@ public boolean authenticateUser(String userName, } } - if (definedUserPassword == null) - // no such user found - return false; - - // check if the passwords match - if (!definedUserPassword.equals(passedUserPassword)) - return false; - + // Check if the passwords match. // NOTE: We do not look at the passed-in database name value as // we rely on the authorization service that was put in // in 2.0 . (if a database name was passed-in) + boolean passwordsMatch = + (definedUserPassword != null) && + definedUserPassword.equals(passedUserPassword); + + // Provide extra information on mismatch if strong password + // substitution is used, since the problem may be that the stored + // password was stored using the configurable hash authentication + // scheme which is incompatible with strong password substitution. + if (!passwordsMatch && secMec == SECMEC_USRSSBPWD) { + throw Util.generateCsSQLException( + SQLState.NET_CONNECT_SECMEC_INCOMPATIBLE_SCHEME); + } - // We do have a valid user - return true; + return passwordsMatch; } /** diff --git a/java/engine/org/apache/derby/loc/messages.xml b/java/engine/org/apache/derby/loc/messages.xml index 2021134a15..9cea1f9050 100644 --- a/java/engine/org/apache/derby/loc/messages.xml +++ b/java/engine/org/apache/derby/loc/messages.xml @@ -415,6 +415,11 @@ Guide. exceptionMsg + + 08004.C.12 + Connection authentication failure occurred. Either the supplied credentials were invalid, or the database uses a password encryption scheme not compatible with the strong password substitution security mechanism. If this error started after upgrade, refer to the release note for DERBY-4483 for options. + + 08006.C A network protocol error was encountered and the connection has been terminated: {0} diff --git a/java/shared/org/apache/derby/shared/common/reference/SQLState.java b/java/shared/org/apache/derby/shared/common/reference/SQLState.java index 443175a007..851a53985d 100644 --- a/java/shared/org/apache/derby/shared/common/reference/SQLState.java +++ b/java/shared/org/apache/derby/shared/common/reference/SQLState.java @@ -1655,6 +1655,7 @@ public interface SQLState { String AUTH_DATABASE_CREATE_EXCEPTION = "08004.C.10"; //DERBY-2109: new state/msg String AUTH_DATABASE_CREATE_MISSING_PERMISSION = "08004.C.11"; + String NET_CONNECT_SECMEC_INCOMPATIBLE_SCHEME = "08004.C.12"; // There can be multiple causes for 08003, which according // to SQL2003 spec means "connection does not exist" diff --git a/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ErrorCodeTest.java b/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ErrorCodeTest.java index 899584bcd0..e1695c1677 100644 --- a/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ErrorCodeTest.java +++ b/java/testing/org/apache/derbyTesting/functionTests/tests/lang/ErrorCodeTest.java @@ -26,16 +26,9 @@ import org.apache.derbyTesting.junit.BaseJDBCTestCase; import org.apache.derbyTesting.junit.TestConfiguration; -import org.apache.derbyTesting.junit.Utilities; -import java.sql.Connection; import java.sql.ResultSet; -import java.sql.ResultSetMetaData; -import java.sql.PreparedStatement; import java.sql.Statement; -import java.sql.CallableStatement; -import java.sql.SQLWarning; -import java.sql.SQLException; import org.apache.derbyTesting.junit.JDBC; public final class ErrorCodeTest extends BaseJDBCTestCase { @@ -127,6 +120,7 @@ public void test_errorcode() throws Exception {"08004","Missing permission for user '{0}' to shutdown system [{1}].","40000"}, {"08004","Cannot check system permission to create database '{0}' [{1}].","40000"}, {"08004","Missing permission for user '{0}' to create database '{1}' [{2}].","40000"}, + {"08004","Connection authentication failure occurred. Either the supplied credentials were invalid, or the database uses a password encryption scheme not compatible with the strong password substitution security mechanism. If this error started after upgrade, refer to the release note for DERBY-4483 for options.","40000"}, {"08006","An error occurred during connect reset and the connection has been terminated. See chained exceptions for details.","40000"}, {"08006","SocketException: '{0}'","40000"}, {"08006","A communications error has been detected: {0}.","40000"},