When NATIVE authentication is enabled, Derby behaves as if the derby.connection.requireAuthentication and derby.database.sqlAuthorization properties are also set.
That is, a user name and password must be specified whenever a user connects to a database, and object owners control access to database objects. See Configuring fine-grained user authorization for more information, and see NATIVE authentication and SQL authorization example for an example of the use of NATIVE authentication.
For maximum security, the passwords that users specify when they connect to databases have an expiration date that you can modify by using the property derby.authentication.native.passwordLifetimeMillis. The password of the Database Owner never expires. By default, ordinary user passwords expire after 31 days.
If a password is about to expire, or if the Database Owner's password is near what would be the expiration date, Derby issues a warning that the password will soon expire (or, in the Database Owner's case, that the password is stale). By default, the warning is issued if the password is due to expire in one-eighth of the password's lifetime. For example, if the password has a 31-day lifetime, the warning will be issued 3.875 days before the expiration date. You can change this proportion by using the property derby.authentication.native.passwordLifetimeThreshold.
Use the derby.authentication.builtin.algorithm property to change the way passwords are encrypted when they are stored in the SYSUSERS system table. The default algorithm is SHA-256. Two related properties are derby.authentication.builtin.saltLength and derby.authentication.builtin.iterations, which can be used to make the hashed passwords harder for attackers to crack.
See the Derby Reference Manual for details on these properties.