Improved documentation for tcpAllowOthers, webAllowOthers, pgAllowOthers

db2c6dd5 · Thomas Mueller · 3d7d2aaf · db2c6dd5 · db2c6dd5
--- a/h2/src/docsrc/html/advanced.html
+++ b/h2/src/docsrc/html/advanced.html
@@ -50,6 +50,8 @@ Advanced Topics
    File Locking Protocols</a><br />
 <a href="#sql_injection">
    Protection against SQL Injection</a><br />
+<a href="#remote_access">
+    Protection against Remote Access</a><br />
 <a href="#restricting_classes">
    Restricting Class Loading and Usage</a><br />
 <a href="#security_protocols">
@@ -900,6 +902,17 @@ It is not required to create a constant for the number 0 as there is already a b
 SELECT * FROM USERS WHERE LENGTH(PASSWORD)=ZERO();
 </pre>

+<br /><a name="remote_access"></a>
+<h2>Protection against Remote Access</h2>
+<p>
+By default this database does not allow others to connect when starting the H2 Console,
+the TCP server, or the PG server. Remote access can be enabled using the command line
+options -webAllowOthers, -tcpAllowOthers, and -pgAllowOthers. If you enable remote
+access, please also consider using the options -baseDir and -ifExists, so that remote
+users can not create new databases or access existing databases with weak passwords. Also,
+ensure the existing accessible databases are protected using a strong password.
+</p>
+
 <br /><a name="restricting_classes"></a>
 <h2>Restricting Class Loading and Usage</h2>
 <p>

--- a/h2/src/main/org/h2/tools/Server.java
+++ b/h2/src/main/org/h2/tools/Server.java
@@ -60,7 +60,7 @@ public class Server extends Tool implements Runnable, ShutdownHandler {
     * <tr><td>[-web]</td>
     * <td>Start the web server with the H2 Console</td></tr>
     * <tr><td>[-webAllowOthers]</td>
-     * <td>Allow other computers to connect</td></tr>
+     * <td>Allow other computers to connect - see below</td></tr>
     * <tr><td>[-webPort &lt;port&gt;]</td>
     * <td>The port (default: 8082)</td></tr>
     * <tr><td>[-webSSL]</td>
@@ -70,7 +70,7 @@ public class Server extends Tool implements Runnable, ShutdownHandler {
     * <tr><td>[-tcp]</td>
     * <td>Start the TCP server</td></tr>
     * <tr><td>[-tcpAllowOthers]</td>
-     * <td>Allow other computers to connect</td></tr>
+     * <td>Allow other computers to connect - see below</td></tr>
     * <tr><td>[-tcpPort &lt;port&gt;]</td>
     * <td>The port (default: 9092)</td></tr>
     * <tr><td>[-tcpSSL]</td>
@@ -84,7 +84,7 @@ public class Server extends Tool implements Runnable, ShutdownHandler {
     * <tr><td>[-pg]</td>
     * <td>Start the PG server</td></tr>
     * <tr><td>[-pgAllowOthers]</td>
-     * <td>Allow other computers to connect</td></tr>
+     * <td>Allow other computers to connect - see below</td></tr>
     * <tr><td>[-pgPort &lt;port&gt;]</td>
     * <td>The port (default: 5435)</td></tr>
     * <tr><td>[-baseDir &lt;dir&gt;]</td>
@@ -94,6 +94,9 @@ public class Server extends Tool implements Runnable, ShutdownHandler {
     * <tr><td>[-trace]</td>
     * <td>Print additional trace information; for all servers</td></tr>
     * </table>
+     * The options -xAllowOthers are potentially risky.
+     * <br />
+     * For details, see Advanced Topics / Protection against Remote Access.
     * @h2.resource
     *
     * @param args the command line arguments