![]() |
Cloudscape and Security
|
Reference Manual |
User Authentication and Authorization Examples
Client/Server EnvironmentIn this example, Cloudscape is running in a user-designed application server. Cloudscape provides the user authentication, not the application server. The server is running in a secure environment, the application server encrypts the passwords, and a database administrator is available. The administrator configures security using system-level properties in the cloudscape.properties file and has protected this file with operating system tools. Cloudscape connects to an existing LDAP directory service within the enterprise to authenticate users. The default access mode for all databases is set to fullAccess (the default). The cloudscape.properties file for the server includes the following entries: # turn on user authentication cloudscape.connection.requireAuthentication=true # set the authentication provider to an external LDAP server cloudscape.authentication.provider=LDAP # the host name and port number of the LDAP server cloudscape.authentication.server=godfrey:389 # the search base for user names cloudscape.authentication.ldap.searchBase=o=oakland.mycompany.com # explicitly show the access mode for databases (this is default) cloudscape.database.defaultAccessMode=fullAccess With these settings, all users must be authenticated by the LDAP server in order to access any Cloudscape databases. The database administrator has determined that one database, accountingDB, has additional security needs. Within a connection to that database, the database administrator uses database-wide properties (which override properties set in the cloudscape.properties file) to limit access to this database. Only the users prez, cfo, and numberCruncher have full (read-write) access to this database, and only clerk1 and clerk2 have read-only access to this database. No other users can access the database.
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty( The database administrator then requires all current users to disconnect and re-connect. These property changes do not go into effect for current connections. The database administrator can force current users to reconnect by shutting down the database:
CALL (CLASS java.sql.DriverManager).getConnection( Single-User, Embedded EnvironmentIn this example, Cloudscape is embedded in a single-user application that is deployed in a number of different and potentially insecure ways. For that reason, the application developer has decided to encrypt the database and to turn on user authentication using Cloudscape's built-in user authentication, which will not require connections to an LDAP server. The end-user must know the bootPassword to boot the database and the user name and password to connect to the database. Even if the database ended up in an e-mail, only the intended recipient would be able to access data in the database. The application developer has decided not to use any user authorization features, since each database will accept only a single user. In that situation, the default full-access connection mode is acceptable. When creating the database, the application developer encrypts the database by using the following database connection URL:
jdbc:cloudscape:wombat;create=true;dataEncryption=true; Before deploying the database, the application developer turns on user authentication, sets the authentication provider to CLOUDSCAPE, creates a single user and password, and disallows system-wide properties to protect the database-wide security property settings:
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty(
CALL PropertyInfo.setDatabaseProperty( When the user connects (and boots) the database, the user has to provide the bootPassword, the user name, and the password. The following example shows how to provide those in a database connection URL, although the application programmer would probably provide GUI windows to allow the end user to type those in:
jdbc:cloudscape:wombat;bootPassword=sxy90W348HHn; Extended ExampleYou will find this example in the sample application (see JBMSTours.AdminHelper). public static void turnOnBuiltInUsers(Connection conn) throws SQLException { System.out.println("Turning on authentication."); Statement s = conn.createStatement(); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.connection.requireAuthentication', 'true')"); // Confirming requireAuthentication ResultSet rs = s.executeQuery( "VALUES PropertyInfo.getDatabaseProperty( 'cloudscape.connection.requireAuthentication')"); rs.next(); System.out.println(rs.getString(1)); // Setting authentication scheme to Cloudscape s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.authentication.provider', 'CLOUDSCAPE')"); // Creating some sample users s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.user.sa', 'cloud3x9')"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.user.guest', 'java5w6x')"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.user.mary', 'little7xylamb')"); // Setting default connection mode to no access // (user authorization) s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.database.defaultConnectionMode',"+ " 'noAccess')"); // Confirming default connection mode rs = s.executeQuery("VALUES PropertyInfo.getDatabaseProperty("+ "'cloudscape.database.defaultConnectionMode')"); rs.next(); System.out.println(rs.getString(1)); // Defining read-write users s.executeUpdate("CALL UserUtility.add("+ 'sa', UserUtility->FULL_ACCESS_PERMISSION)"); s.executeUpdate("CALL UserUtility.add("+ 'mary', UserUtility->FULL_ACCESS_PERMISSION)"); // Defining read-only users s.executeUpdate("CALL UserUtility.add('guest', "+ "UserUtility->READ_ACCESS_PERMISSION)"); // Confirming full-access users rs = s.executeQuery("VALUES PropertyInfo.getDatabaseProperty("+ 'cloudscape.database.fullAccessUsers')"); rs.next(); System.out.println(rs.getString(1)); // Confirming read-only users rs = s.executeQuery("VALUES PropertyInfo.getDatabaseProperty("+ "'cloudscape.database.readOnlyAccessUsers')"); rs.next(); System.out.println(rs.getString(1)); //we would set the following property to TRUE only //when we were ready to deploy. s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.database.propertiesOnly', 'false')"); s.close(); } /** * Turn off built-in user authentication and user authorization. * * @param conn a connection to the database. */ public static void turnOffBuiltInUsers(Connection conn) throws SQLException { Statement s = conn.createStatement(); System.out.println("Turning off authentication."); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.connection.requireAuthentication',"+ "'false')"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.authentication.provider', null)"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.user.sa', null)"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.user.guest', null)"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.user.mary', null)"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.database.defaultConnectionMode',"+ " 'fullAccess')"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.database.fullAccessUsers', null)"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.database.readOnlyAccessUsers', null)"); s.executeUpdate("CALL PropertyInfo.setDatabaseProperty("+ "'cloudscape.database.propertiesOnly', 'false')"); // Confirming requireAuthentication ResultSet rs = s.executeQuery("VALUES "+ Synchronization EnvironmentFor examples in a synchronization environment, see the Cloudscape Synchronization Guide. |
|
![]() Cloudscape Version 3.6 For information about Cloudscape technical support, go to: www.cloudscape.com/support/.Copyright © 1998, 1999, 2000 Informix Software, Inc. All rights reserved. |