The TDI System Store is the database or persistent layer where all the information which is required by a TDI Server is persisted. Traditionally, this layer did not have any security around itself. Any user was able to access the System Store. However from TDI 7.0, there is configurable security provided around the System Store.
In TDI 7.0, the System Store by default is used in Network Mode. This way, a number of TDI instances and other applications is able to access the System Store concurrently. In view of the System Store being available over the Network there is a need to have some security built around it in order to protect the data which is maintained by the TDI Server.
Derby (previously known as Cloudscape) provides several ways to define the repository of users and passwords. To specify which of these services to use with your Derby system, set the property derby.authentication.provider to the appropriate value as discussed in the appropriate section listed below.
We can allow Derby to authenticate users against an existing LDAP directory service within your enterprise. LDAP (lightweight directory access protocol) provides an open directory access protocol running over TCP/IP. An LDAP directory service can quickly authenticate a user's name and password.
On configuring a set of properties defined by Derby we can start using the External Directory Service as a repository for user names and passwords.
Set derby.authentication.provider to the full name of a class that implements the public interface org.apache.derby.authentication.UserAuthenticator. By writing our own class that fulfills some minimal requirements, we can hook Derby up to an external authentication service.
The class that provides the external authentication service must implement the public interface org.apache.derby.authentication.UserAuthenticator and throw exceptions of type java.sql.SQLException where appropriate.
The TDI System Store is using the Built-in repository for storing the user name and password. Since TDI have only one user for accessing the System Store this is the most viable provider that can be used.
User Authentication
The user authentication details deal with the authentication of users. The user authentication mechanism only authenticates if the user name is present in the mentioned repository (it can any one of the repositories which are mentioned above) and if the password is correct for the specified user. However if we want to have more control over the access rights, we can use the User Authorization mechanism provided by Derby.
The master switch for requiring that users be authenticated against
provided parameters is the property derby.connection.requireAuthentication -
the default is TRUE.
The access modes can be set using the property derby.database.defaultConnectionMode=fullaccess.
This property sets the default access mode for all the users in the
Derby repository. This property also defines the access level for
the System Store user. The different access levels supported by Derby
are fullAccess, readOnly, and noAccess.
However if we want to have specific access modes for specific users, we can assign access using the properties mentioned below:
The usernames should be a comma separated list of users
for example
In the
current version of TDI we have only one user accessing the System
Store. This user is required to perform all the operations on the
System Store hence we have set the access mode to fullAccess.
derby.database.fullAccessUsers=sa, mary