geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Commented: (GERONIMO-643) transport guarantees on UDP not always enforced (at least w/jetty)
Date Sun, 08 May 2005 06:46:06 GMT
     [ ]
David Jencks commented on GERONIMO-643:

revision 169130 provides at least a partial fix for this problem by making sure the UDP never
has a transport guarantee of "N/A".  I'd prefer additional review of this area before closing
the issue.

> transport guarantees on UDP not always enforced (at least w/jetty)
> ------------------------------------------------------------------
>          Key: GERONIMO-643
>          URL:
>      Project: Geronimo
>         Type: Bug
>   Components: security
>     Versions: 1.0-M3
>     Reporter: David Jencks
>     Assignee: David Jencks

> The UserDataPermission for a request on an unprotected socket is constructed erroneously
with a transport guarantee of "N/A" rather than "NONE" (0 rather than 3).  As a result, the
UDP permission checks succeed rather than fail if url pattern and method match.  
> I believe but have not checked that this results in insecure access to resources that
are supposed to be under a transport guarantee only for unchecked resources.  I believe that
resources associated with a role have the transport guarantee at least partially enforced
by the login mechanism.
> I have not looked into what the tomcat integration does in this situation.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message