directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@hedhman.org>
Subject Re: Access to LdapPrincipal constructor
Date Mon, 02 May 2005 11:25:02 GMT
On Saturday 30 April 2005 11:02, Alex Karasulu wrote:
> Ahh yeah I thought I confronted this at some point.  I have to refresh
> myself.  Basically LdapPrincipal can only be created by the Auth service
> you are right.  This is for security reasons and the reason while we
> keep it package friendly.  I know I made some kind of changes to
> accommodate a way for your Authenticators to be ok with this.

Alex, I don't know if you have thought about how the ApacheDS is secured over 
all. Protecting fields, methods and constructors is no real protection at 
all, unless combined with proper security policies and the use of 
AccessController.doPriviliged().

If no such thoughts has been spent on the subject, perhaps it is soon time to 
start a security review of the entire system.


Cheers
Niclas

Mime
View raw message