geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jencks (JIRA)" <...@geronimo.apache.org>
Subject [jira] Created: (GERONIMO-643) transport guarantees on UDP not always enforced (at least w/jetty)
Date Sun, 08 May 2005 06:46:04 GMT
transport guarantees on UDP not always enforced (at least w/jetty)
------------------------------------------------------------------

         Key: GERONIMO-643
         URL: http://issues.apache.org/jira/browse/GERONIMO-643
     Project: Geronimo
        Type: Bug
  Components: security  
    Versions: 1.0-M3    
    Reporter: David Jencks
 Assigned to: David Jencks 


The UserDataPermission for a request on an unprotected socket is constructed erroneously with
a transport guarantee of "N/A" rather than "NONE" (0 rather than 3).  As a result, the UDP
permission checks succeed rather than fail if url pattern and method match.  

I believe but have not checked that this results in insecure access to resources that are
supposed to be under a transport guarantee only for unchecked resources.  I believe that resources
associated with a role have the transport guarantee at least partially enforced by the login
mechanism.

I have not looked into what the tomcat integration does in this situation.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message