directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
Date Tue, 12 Jul 2011 07:12:43 GMT
On Tue, Jul 12, 2011 at 8:53 AM, Emmanuel Lécharny <elecharny@apache.org> wrote:
> On 7/12/11 2:21 AM, Alex Karasulu wrote:
>>
>> On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny<elecharny@gmail.com>
>>  wrote:
>>>
>>> I'm not sure it"s a good idea to setup a default session, at least to
>>> admin.
>>> If we consider the normal (ie, not embedded) server, we don't set any
>>> session, the default session is Anonymous (of course if allowed). IMO,
>>> this
>>> might be a security breach too.
>>>
>>> What was the rational for this modificatioon, Alex ?
>>
>> First there was a big null pointer exception due to this not being
>> set. Second taking a big step back I thought about it and if I have a
>> handle on DirectoryService I can pretty much do anything anyway. If
>> I'm using CoreSessions and DirectoryServices I can use any kind of
>> session there's no security barrier there. So IMO there's no security
>> issue here to defaulting to an admin session.
>
> Make sense. I'm just wondering if we shouldn't mimic the way the LDAP server
> works by forcing the session to use an anonymous principal by default,
> instead of an admin one.

That might be better for consistency and also the safe road to take.

I shouldn't have used the term 'security issue',
> it's not really a problem in this case, what I had in mind is that if
> someone want to use a Admin session, it's probably better to require that he
> explicitly create such a session. Call it 'protection against stupid
> move'...
>
> PS : NPE ? ouch...

Yeah Kiran commented on that.

> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>



-- 
Best Regards,
-- Alex

Mime
View raw message