directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Date Tue, 12 Jul 2011 00:21:34 GMT
On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> I'm not sure it"s a good idea to setup a default session, at least to admin.
> If we consider the normal (ie, not embedded) server, we don't set any
> session, the default session is Anonymous (of course if allowed). IMO, this
> might be a security breach too.
>
> What was the rational for this modificatioon, Alex ?

First there was a big null pointer exception due to this not being
set. Second taking a big step back I thought about it and if I have a
handle on DirectoryService I can pretty much do anything anyway. If
I'm using CoreSessions and DirectoryServices I can use any kind of
session there's no security barrier there. So IMO there's no security
issue here to defaulting to an admin session.

> On 7/10/11 11:23 PM, akarasulu@apache.org wrote:
>>
>> Author: akarasulu
>> Date: Sun Jul 10 21:23:02 2011
>> New Revision: 1144962
>>
>> URL: http://svn.apache.org/viewvc?rev=1144962&view=rev
>> Log:
>> session member should be reset to an admin session when the directory
>> service is set
>>
>> Modified:
>>
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>>
>> Modified:
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> URL:
>> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java?rev=1144962&r1=1144961&r2=1144962&view=diff
>>
>> ==============================================================================
>> ---
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> (original)
>> +++
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> Sun Jul 10 21:23:02 2011
>> @@ -1286,5 +1286,6 @@ public class LdapCoreSessionConnection i
>>      {
>>          this.directoryService = directoryService;
>>          this.schemaManager = directoryService.getSchemaManager();
>> +        this.session = directoryService.getAdminSession();
>>      }
>>  }
>>
>>
>>
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>



-- 
Best Regards,
-- Alex

Mime
View raw message