geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <>
Subject [jira] Created: (GERONIMO-643) transport guarantees on UDP not always enforced (at least w/jetty)
Date Sun, 08 May 2005 06:46:04 GMT
transport guarantees on UDP not always enforced (at least w/jetty)

         Key: GERONIMO-643
     Project: Geronimo
        Type: Bug
  Components: security  
    Versions: 1.0-M3    
    Reporter: David Jencks
 Assigned to: David Jencks 

The UserDataPermission for a request on an unprotected socket is constructed erroneously with
a transport guarantee of "N/A" rather than "NONE" (0 rather than 3).  As a result, the UDP
permission checks succeed rather than fail if url pattern and method match.  

I believe but have not checked that this results in insecure access to resources that are
supposed to be under a transport guarantee only for unchecked resources.  I believe that resources
associated with a role have the transport guarantee at least partially enforced by the login

I have not looked into what the tomcat integration does in this situation.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message