Apache Derby Database Users and Permissions

Abstract

Apache Derby is awesome! Especially in a Microservices environment where the data for services (may) shrink and not require a heartier RDBMS. Derby is awesome because it’s so easy to use, especially when it come to users and permissions - you don’t need any! But, it may be the case you want to create an application-level user with limited permissions to use in Derby. The purpose of this blog is to document how to create application-level, limited permission users in Derby.

Disclaimer

This post is solely informative. Critically think before using any information presented. Learn from it but ultimately make your own decisions at your own risk.

Requirements

I did all of the work for this post using the following major technologies. You may be able to do the same thing with different technologies or versions, but no guarantees.

• Apache Derby 10.14.1.0
• Java 1.8.0_152_x64

I am not going to go through the process of downloading and installing these technologies. I’ll leave that as an exercise for you.

Run Derby Network Server

The first thing you must do is run a Derby network server. In my previous blog post titled Multiple Derby Network Servers on the same Host, I give detailed instructions on how to do this. Please refer to that blog post to run your own Derby network server.

Configure Derby Network Server

To configure the Derby network server, you need to create a derby.properties file. But where does the file go? It can go in a couple different places. Let’s take a look.

I’ll first assume that you ignored the Run Derby Network Server section above and instead are running Derby with all its defaults. If that’s the case, you probably started the network server by finding the %DERBY_HOME%\bin\startNetworkServer.bat file and double-clicking it. If you did this - highly not recommended - then Derby thinks the %DERBY_HOME%\bin directory is its system directory. You can confirm this by looking for the %DERBY_HOME%\bin\derby.log file. If confirmed, then you need to create a %DERBY_HOME%\bin\derby.properties file. Wherever the derby.log file is, that’s where you create the derby.properties file.

On the other hand if you didn’t ignore the Run Derby Network Server section above, congratulations! The derby.properties file must go into the directory set by the -Dderby.system.home Java system property.

Now that you know where to put the derby.properties file, here is (an example) of what to put in it:

# Passwords don't expire for 10 years
derby.authentication.native.passwordLifetimeMillis=315360000000

# Use the best hash algorithm you can
derby.authentication.builtin.algorithm=SHA-512

# Use a larger salt length for better security
derby.authentication.builtin.saltLength=128

# Re-hash this number of times for better security
derby.authentication.builtin.iterations=1564

The first property derby.authentication.native.passwordLifetimeMillis is the most important one. It configures how long Derby user passwords can be used before they go stale. By default, a password goes stale in 31 days unless this property is configured.

NOTE Derby uses the word “stale”, whereas we would typically use the word “expired”.

The value of this property is in milliseconds. The example above - 315360000000 - means a user’s password goes stale 10 years after the user is created. This configuration is for all users in every database in that Derby network server. There does not seem to be any per-user password expire setting.

Now you have the derby.properties file in place. Start the network server and let’s use it.

Run ij

ij is to Derby what sqlplus is to Oracle; just a simple command-line interface to execute SQL. Find and run %DERBY_HOME%\bin\ij.bat. For the rest of the blog, the "ij>" prompt will indicate SQL commands that must be executed within ij.

With ij running, we can create a database. Let’s do that next.

Create a Database

First, make sure your Derby network server is configured (as described above), and running (as described above) and is waiting for connections on whatever port you configured.

Second, make sure ij is running. You should be at this prompt:

ij>

Third, issue a connect statement which will create a new database.

ij> connect 'jdbc:derby://localhost:11528/resiste;create=true;' user 'sa_resiste';

Let’s look at this in more detail. localhost assumes the Derby network server is running on the same machine as ij, though it can be any host on your network. 11528 is the port the Derby network server is using to listen for connections. resiste is the name of the database to connect to; remember a Derby network server can have many different databases. create=true tells Derby to create the database if it doesn’t exist already. When created, the resiste database will the file system folder %derby.system.home%\resiste. sa_resiste is name of the admin user for the resiste database. Usually it’s just sa. Next we’ll look at setting the password for this admin user.

Create the Admin User

Derby provides an internal system call to create users and passwords. Make sure you are connected to the resiste database then execute:

ij> CALL SYSCS_UTIL.SYSCS_CREATE_USER('sa_resiste', 'derby123'); 
ij> disconnect;
ij> exit;

Line 1 creates the sa_resiste user with the password derby123. Lines 3 and 4 then disconnect from the database and exits ij.

RESTART THE NETWORK SERVER NOW

After restarting, let’s see if it worked. Connect with sa_resiste and no password. Connection will get authentication failure.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'sa_resiste';
ERROR 08004: Connection authentication failure occurred.  Reason: Userid or password invalid.

Now connect with sa_resiste and password. Connection will succeed.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'sa_resiste' password 'derby123';
ij> 

Good! The admin user is now created. Next we’ll use the admin user to create a table. This table will be used to validate the permissions of the application-level user we’ll create later.

Create Test Table

Now we are going to use the admin user to create a test table. We will do this for a couple reasons.

1. Verify the admin user has all permissions and is able to execute these SQL commands.
2. Verify the permissions of the application-level user we’ll create later.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'sa_resiste' password 'derby123';
ij> create schema testing;
ij> set schema testing;
ij> create table names (full_name varchar(100));
ij> insert into names values ('rita red');
ij> select * from names;
FULL_NAME
----------------------------------------------------------------------------------------------------
rita red
ij> disconnect; 

Next let’s create the application-level user.

Create the Application User

Now for the fun stuff. Let’s create an application-level user. This will be a user with permission limited to only the operations an application is able to perform. For example, if your Microservice is only going to GET data, then the application-level user should only have SELECT permissions on the database table. We will test the application-level user’s permission, but first let’s create the user.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'sa_resiste' password 'derby123';
ij> CALL SYSCS_UTIL.SYSCS_CREATE_USER('oscar', 'orange');
ij> disconnect;
ij> exit;

NOTE Remember, oscar’s password will go stale in 31 days by default. However, if you have a derby.properties file with the derby.authentication.native.passwordLifetimeMillis property set, then it will go stale after whatever time is set by that property. There is no other way to change the time it takes for the password to go stale.

RESTART THE NETWORK SERVER NOW

After restarting, let’s see if it worked. Connect with oscar. Connection will succeed, but, oscar won’t have the permission to read the test table.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'oscar' password 'orange';
ij> select * from testing.names;
ERROR 42502: User 'OSCAR' does not have SELECT permission on column 'FULL_NAME' of table 'TESTING'.'NAMES'.
ij> disconnect;

Even though the SELECT statement failed, failure means a successful test. oscar has no permissions so should not be able to select from the test table. Let’s configure oscar next.

Configure the Application User

Let’s set some permissions for oscar. Of course the sa_resiste admin user is required to do this.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'sa_resiste' password 'derby123';
ij> set schema testing;
ij> grant select on names to oscar;
ij> disconnect;

This will give oscar only 1 permission: to select from TESTING.NAMES table. Let’s see if it worked.

ij> connect 'jdbc:derby://localhost:11528/resiste' user 'oscar' password 'orange';
ij> select * from testing.names;
FULL_NAME
----------------------------------------------------------------------------------------------------
rita red
ij> disconnect;

Congratulations! You now have an application-level user with limited permissions in your Derby database.

Summary

I hope you enjoyed learning how to do simple user administration with Derby.

My Thoughts on Jakarta EE

The Announcement

On February 26, 2018, I saw a post on Twitter saying EE4J tallied the results of the naming survey and Jakarta EE is the new brand for the open source enterprise software standard (Milinkovich, 2018). From what I’ve seen on Twitter and read on other blogs, the Java enterprise community has been very supportive of the re-branding. I am supportive as well (I voted for Jakarta EE) and will continue to evangelize Jakarta EE. Though this is a monumental step, the challenges for EE4J and the Jakarta EE brand are far from over. I’d like to share what I think are some of those challenges. You can skip to tl;dr to save time. They are:

1. Getting the Re-branding to Stick
2. Release Cadence
3. Continued Emphasis on the EE Server

Getting the Re-branding to Stick

The announcement hadn’t even been a day old when Twitter posts started from recruiters looking for Jakarta EE experience (Ament, 2018). Java Enterprise software has been around for nearly 20 years, and over that time it has gone through previous cycles of renaming and re-branding. Here they are:

J2EE (1999) -> Java EE (2006) -> Jakarta EE (2018)

Re-branding is hard, and it can be argued that neither Sun nor Oracle did a good job promoting the brands. You can search Twitter for posts joking about how it has been over 10 years since the re-brand to Java EE but recruiters still advertise and look for “J2EE”. I am guilty of this as well. My LinkedIn profile has “J2EE” all over it so I can be found.

So how will EE4J fair promoting the Jakarta EE brand? I think success can be measured by management knowing about it. It’s sometimes dangerous when managers know things. But, if managers start asking, “are we are using Jakarta EE in new projects”, that’s success in branding.

NOTE It’s OK if managers don’t know what Jarkarta EE is, as long as they know it’s the “thing to do” :)

Release Cadence

Java SE is experiencing this challenge right now. The Java community griped about how long it took for Java to evolve and release new versions. Now that Oracle announced Java SE is on a 6 month release cycle (Evens, 2017) with limited long term support options (Azul, 2018), organizations don’t seem to know what to do (be careful what you wish for). Software is moving faster than infrastructure can keep up.

Release cadence can be a problem with Jakarta EE as well. The Java enterprise community may get its wish with rapid releases of Jakarta EE. But if this happens, I don’t think the releases will get the fan fair the community expects. Infrastructure won’t be able to keep up. Organizations will keep to their multi-year upgrade plans meaning long periods of time between server upgrades. Jakarta EE developers will be stuck using old standards like Java EE developers are stuck now.

A rapid release cadence for Jakarta EE may even cause more harm than good. As it is now, if an organization is upgrading servers every few years, the perceived risk of the upgrade is somewhat reduced because the standard may change by only 1 number: Java EE 6 to 7. On paper, that doesn’t look too risky. But if there have been multiple release over the years and the change is from Jakarta EE 9 to 14, the perceived risk is now YIKES!

I think Jakarta EE can support a rapid release cadence. However, to do this it has to face what I consider to be its most daunting challenge: the server.

Continued Emphasis on the EE Server

The final and most glaring challenge EE4J faces is continuing to remain server-technology focused. Will Jakarta EE continue to focus on the standards to create an “EE Server”? I hope not!

20 years ago, the expectation was to install a “heavy” server (WebLogic, WebSphere) and be able to ride that installation with very few changes for 3–5 years and you’re all good. Even security patches over those years were very limited; it was a different era! That’s the way infrastructure worked then, and if we are honest with ourselves, it’s the way infrastructure works now. Infrastructure is a huge impediment to software development. Developers want to use the latest-and-greatest, but infrastructure does not want to “take the risk”. Upgrading server software is always painful: lots of testing, lots of things breaking. So infrastructure avoids upgrades as much as it can.

The development community has gotten around this infrastructure problem by moving functionality out of the server and into the application, hence the Spring framework. Spring is successful precisely because of this infrastructure problem. Infrastructure typically does not care what’s inside the applications running on the server - the applications can change and upgrade as much as they want - just so long as the server itself doesn’t have to change. Is your production WebSphere installation 10 years old? “No problem,” developer’s say, “We aren’t really using anything the server provides anyway.”

Jakarta EE needs to evolve into a standard for an enterprise framework vs. an enterprise server. Spring, Hibernate, and other open source project can continue to push innovation forward. Organizations that want to take the risk and use those bleeding-edge technologies can do so. Once proven, their innovations can be incorporated into the Jakarta EE standard framework for the rest of us. Jakarta EE developers can use the new features added to the framework as quickly as their next product release by a simple POM <version> update…no need to install a new server. As an added bonus, if Jakarta EE sticks to TCK requirements and backward compatibility, Jakarta EE developers will have the confidence things won’t break when they change that often feared <version> number.

If Jakarta EE evolves into a standard for an enterprise framework (I hope so), Jakarta EE applications still need to run in something. Perhaps keeping to the current trend of using the Servlet container (Tomcat, Jetty) would be sufficient. But whatever form it takes, the expectation should be that the “server” would be able to sit for 10 years with minimal updates and not get in the way of the applications running in them. When the EE4J charter was under review, I believe there was some discussion on using the word “runtime” instead of “server”. This is appropriate. Have a Jakarta EE runtime (JEER) that can run for years without requiring major upgrades.

tl;dr

I fully support Jakarta EE as a brand and will continue to evangelize the technology as an open standard for enterprise development.

Successfully branding Jakarta EE will be a challenge. Branding will be successful if managers start asking, “Are we using Jakarta EE”? Jakarta EE should be a buzz word and the “thing to use” even though people may have no idea what it is. Sound familiar?

Release cadence may backfire on Jakarta EE because upgrading server installations will continue to move a lot slower.

Jakarta EE needs to evolve into a enterprise standard framework, deployable as part of an application vs. an enterprise standard server that has to be installed or upgraded on a box. The former results in speed, agility, and innovation. The latter results in stagnation.

Thanks for reading.

References

Milinkovich, M., (2018, February 26). And the Name Is…[Blog Post]. Retrieved from https://mmilinkov.wordpress.com/2018/02/26/and-the-name-is/.

Ament, J. D., (2018, February 26). This just in [Tweet]. Retrieved from https://twitter.com/JohnAment/status/968324168264704000.

Evans, B., (2017, September 6). Java to Move to 6-Monthly Release Cadence [Blog Post]. Retrieved from https://www.infoq.com/news/2017/09/Java6Month.

Azul Systems, (2018, January 17). Azul Systems Announces Enhanced Java SE Support Plans [Blog Post]. Retrieved from https://globenewswire.com/news-release/2018/01/17/1295592/0/en/Azul-Systems-Announces-Enhanced-Java-SE-Support-Plans.html.

Bootstrap CDI 2.0 in Java SE

Abstract

This is a quick reference for bootstrapping CDI 2.0 in a Java SE application.

CDI 2.0 (JSR 365)

Maven Dependency

<dependency>
    <groupId>org.jboss.weld.se</groupId>
    <artifactId>weld-se-core</artifactId>
    <version>3.0.2.Final</version>
</dependency>

beans.xml

File location is /META-INF/beans.xml. This file is optional, though I’ve found it’s still good to have.

<beans version="2.0" 
    xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="
     http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_2_0.xsd" 
    bean-discovery-mode="all"
>
    <scan>
        <exclude name="org.jboss.weld.**" />
    </scan>  
</beans>

Java SE Application

package org.ferris.cdi.example.main;

import javax.enterprise.inject.se.SeContainer;
import javax.enterprise.inject.se.SeContainerInitializer;

/**
 * The main() method for this application
 *
 * @author <a href="mailto:mjremijan@yahoo.com">Mike Remijan</a>
 */
public class Main {
    public static void main(String[] args) {

        SeContainer container
            = SeContainerInitializer.newInstance().initialize();

        Main main
            = container.select(Main.class).get();

        //. . .
    }
}

Summary

That’s it…enjoy!