Authentication should continue with next plugin after plugin failure [CORE5485] #5755
Comments
|
Commented by: @AlexPeshkoff Mark, I disagree with your suggestion. When client is configured to use plugin A but @ server side plugin A is misconfigured somehow making use of it impossible that's not default state, that's severe configuration error (remember - Windows zipkit is recommended for manual/custom installs, not for first time users). Moreover, you get an error message describing how to fix this condition. And initializing SRP in security database is not workaround here, it's required fix. What makes me surprised is that use of old client works - it should not work with default configuration when server requires wire encryption. |
|
Commented by: @mrotteveel Alex, I never said I used the zipkit without modification, I just said I used the default security3.fdb from the zipkit (which has a legacy sysdba, but is not initialised for SRP). If a Firebird 2.5 fbclient.dll can connect (or Jaybird 2.2 which only speaks v10 protocol), then so should a newer client be able to connect even if it supports both Srp and Legacy_Auth. In other words: the misconfiguration of an authentication plugin should only be logged, not kill the connect attempt, unless of course Srp is the only authentication plugin in common between client and server. |
|
Commented by: @AlexPeshkoff No, in such case it should better be aborted. If server admin is leaving 'Srp' in AuthServer but does not initialize security database it's his bug which should be fixed. |
|
Commented by: @mrotteveel Interestingly enough, it seems that with a Firebird 4 beta 1, the client continues with authentication. |
Submitted by: @mrotteveel
All failures of an authentication plugin should let Firebird move to the next authentication plugin if available. Currently only absence of a user for the plugin, or 'normal' login failures (see CORE5225) continue with the next plugin. However, when the security database is not initialised for a specific plugin, this plugin failure will end the authentication, and not continue with authentication for the next plugin.
Specifically assume a security database that is currently only initialised for Legacy_Auth (eg the default one in the Windows zipkit), if Jaybird 3 tries to connect (which first tries Srp, and then Legacy_Auth), the authentication fails with
Exception in thread "main" java.sql.SQLException: Your user name and password are not defined. Ask your database administrator to set up a Firebird login.; Install incomplete, please read the Compatibility chapter in the release notes for this version [SQLState:28000, ISC error code:335544472]
The message code of the second part is: 335545029.
This is in response to the initial op_connect. Instead the protocol should have continued with the next plugin.
The workaround in this specific case is to initialise the security database for SRP, eg by executing CREATE USER jaybird PASSWORD 'jdbc' USING PLUGIN Srp
Note that connecting with Jaybird 2.2 (which only uses legacy auth), or an Firebird 2.5 or earlier fbclient.dll will just work.
The text was updated successfully, but these errors were encountered: