Derby and security

Derby can be deployed in a number of ways and in a number of different environments. The security needs of the Derby system are also diverse.

Derby supplies or supports the following optional security mechanisms:

The section "Derby Network Server advanced topics" in the Derby Server and Administration Guide has more information on security issues. The Derby Reference Manual describes many security-related properties and system procedures, as well as such statements as GRANT, REVOKE, CREATE ROLE, DROP ROLE, CREATE PROCEDURE, and CREATE FUNCTION.

Identity in Derby

Derby provides two kinds of identity:

The distinction between fine-grained SQL authorization and coarse-grained connection organization is described in User authorizations.

Security mechanisms in action

The following figure shows some of the Derby security mechanisms at work in a client/server environment. User authentication is performed by accessing an LDAP directory service. The data in the database is not encrypted in this trusted environment.

Figure 1. Using an LDAP directory service in a trusted environment
This figure shows user authentication from an LDAP directory service to the Derby engine, and user authorization to read and write data. The Derby database is a trusted environment, and the data is not encrypted.

The following figure shows how another Derby security mechanism, disk encryption, protects data when the recipient might not know how to protect data. It is useful for databases deployed in an embedded environment.

Figure 2. Using disk encryption to protect data
This figure shows disk encryption between the Derby engine and the database.
Related concepts
Creating, dropping, and backing up databases