Controlling database file access

When Derby creates new files, the visibility of the new file (that is, which users can access it) is normally determined by the JVM environment and the file location only (that is, by the umask setting on UNIX and Linux systems and by the default file permissions on Windows NTFS).

On Java SE 7 or later, Derby may further restrict the file permissions to the operating system account that started the Java process (that is, to the minimum access needed for operation). This means that other operating system accounts will have no access to directories or files created by Derby. This behavior can be helpful in enhancing default security for database files.

The exact behavior is determined by two factors: how the Derby engine is started, and the presence or absence and specified value of the property derby.storage.useDefaultFilePermissions.

The two tables that follow show how file access works with Java SE 6 and with Java SE 7 and later JVMs. In both tables,

The following table shows how file access works on Java SE 6 systems.

Table 1. File access on Java SE 6 systems
Property Setting Server Started from Command Line Server Started Programmatically or Embedded
Not applicable Environment Environment

The following table shows how file access works on Java SE 7 and later systems with various settings of the derby.storage.useDefaultFilePermissions property.

Table 2. File access on Java SE 7 and later systems
Property Setting Server Started from Command Line Server Started Programmatically or Embedded
No property specified Restricted Environment
Property set to true Environment Environment
Property set to false Restricted Restricted

For more information, see "derby.storage.useDefaultFilePermissions" in the Derby Reference Manual.

Related concepts
Network Server security
Network encryption and authentication with SSL/TLS
Related tasks
Running the Network Server under the security manager
Running the Network Server with User Authentication
Configuring the Network Server to handle connections
Controlling logging by using the log file
Controlling tracing by using the trace facility