Derby and Security
Derby can be
deployed in a number of ways and in a number of different environments. The
security needs of the Derby system
are also diverse.
Derby supplies or supports
the following optional security mechanisms:
- User authentication
user names and passwords before permitting them access to the Derby system.
- User authorization
A means of granting specific users permission
to read a database or to write to a database.
- Disk encryption
A means of encrypting Derby data
stored on disk.
- Validation of Certificate for Signed Jar Files
In a Java 2
environment, Derby validates
certificates for classes loaded from signed jar files.
- Network encryption and authentication
network traffic may be encrypted with SSL/TLS. SSL/TLS certificate
authentication is also supported. See "Network encryption and authentication with SSL/TLS" in the
Derby Server and Administration Guide for
The following figure shows some of the Derby
mechanisms at work in a client/server environment. User authentication is
performed by accessing an LDAP Directory Service. The data in the database
is not encrypted in this trusted environment.
Figure 1. Example
of using an LDAP Directory Service in a trusted environment.
The following figure shows how another Derby
mechanism, disk encryption, protects data when the recipient might not know
how to protect data. It is useful for databases deployed in an embedded environment.
Figure 1. Example of using disk encryption to protect data.
- Configuring security for your environment
In most cases, you enable Derby's security features through the use of properties. It is important to understand the best way of setting properties for your environment.
- Working with user authentication
Derby provides support for user authentication. User authentication means that Derby authenticates the name and password for a user before allowing that user access to the system.
- Users and authorization identifiers
User names within the Derby system are known as authorization identifiers. The authorization identifier is a string that represents the name of the user, if one was provided in the connection request.
- User authorizations
When you specify user authorizations, Derby verifies that a user has been granted permission to access a system, database, object, or SQL action.
- Encrypting databases on disk
Derby provides a way for you to encrypt your data on disk.
- Signed jar files
In a Java 2 environment, Derby can detect digital signatures on jar files. When attempting to load a class from a signed jar file stored in the database, Derby will verify the validity of the signature.
- Notes on the Derby security features
TheDerby security model has some basic limitations.
- User authentication and authorization examples
This section provides examples on using user authentication and authorization in Derby in either a client/server environment or in an embedded environment.
- Running Derby under a security manager
When running within an application or application server with a Java 2 Security Manager enabled, Derby must be granted certain permissions to execute and access database files.