Configuring security in a client/server environment

This procedure requires a system with multiple databases and some administrative resources.

Configure security features as system-level properties.
Provide administrative-level protection for the derby.properties file and Derby databases. For example, you can protect these files and directories with operating system permissions and firewalls.
Turn on user authentication for your system. All users must provide valid user IDs and passwords to access the Derby system. Use NATIVE authentication (or, alternatively, LDAP or a user-defined class).
Important: It is also strongly recommended that production systems protect network connections with SSL/TLS.
Configure fine-grained user authorization (SQL authorization) for your databases.
Configure Java security for your environment.

The following figure shows some of the Derby security mechanisms at work in a client/server environment. User authentication is performed by accessing an LDAP directory service. The data in the database is not encrypted in this trusted environment.

Figure 1. Using an LDAP directory service in a trusted environment
This figure shows user authentication from an LDAP directory service to the Derby engine, and user authorization to read and write data. The Derby database is a trusted environment, and the data is not encrypted.

This figure shows user authentication from an LDAP directory service to the Derby engine, and user authorization to read and write data. The Derby database is a trusted environment, and the data is not encrypted.

Network Server security
By default, the Derby Network Server listens only on the localhost. Clients must use the localhost host name to connect.

Parent topic: Basic security configuration tasks