jeber-ibm
commented
2 months ago That information is returned from the catalogs on the system.
The SQL reference manual (https://www.ibm.com/docs/en/i/7.5?topic=reference-db2-i-catalog-views) states the following:
Granting Privileges to Catalog Views: Tables and views in the catalog are like any other database tables and views. If you have authorization, you can use SQL statements to look at data in the catalog views in the same way that you retrieve data from any other table. The tables and views in the catalogs are shipped with the SELECT privilege to PUBLIC. This privilege may be revoked and the SELECT privilege granted to individual users.
If the system administrator is concerned, then they should revoke the SELECT privilege to PUBLIC.
I'm trying to secure the JDBC Sql access to my Database and I noticed that the DatabaseMetaData.getSchemas() and DatabaseMetaData.getTables() methods retrieve all libraries and all tables on the system.
I think that the objects the users in not authorized to see should not be returned by the above methods.
I'm wondering if this is the expected behavior or is a security bug.