geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vamsavardhana Reddy" <c1vams...@gmail.com>
Subject Re: 1.1.1 - Ready or not ? Soliciting input
Date Tue, 08 Aug 2006 17:00:30 GMT
On 8/8/06, Aaron Mulder <ammulder@alumni.princeton.edu> wrote:
>
> Here are the issues that bother me most in 1.1.1.  I believe they are
> all also issues in 1.1.
>
> DEPLOYMENT
>
> http://issues.apache.org/jira/browse/GERONIMO-2270
> - Redeploy broken when module ID does not include a type (patch available)
>
> http://issues.apache.org/jira/browse/GERONIMO-2269
> - Redeploy broken when module ID does not include a version and app
> uses JNDI (patch available)
>
> I also just found a deploy problem with web apps with a plan with no
> environment, but I haven't investigated much yet.
>
> SECURITY
>
> http://issues.apache.org/jira/browse/GERONIMO-2294
> - For a security realm with multiple login modules, we do not handle
> the JAAS Control Flags correctly (e.g. we do not call the login
> modules using the correct logic).  Code to reproduce available. Alan
> had claimed a predecessor to this issue; I'm not sure if he's planning
> on working on this one.


GERONIMO-2268 (Security Realm with more than one LoginModule does not
function as expected <http://issues.apache.org/jira/browse/GERONIMO-2268>)
is this  predecessor I guess.  And this is the cause for  GERONIMO-2266 (
  FileAuditLoginModule: Does not log failed attempts)  and GERONIMO-2267(
     RepeatedFailureLockoutLoginModule: Does not function)


http://issues.apache.org/jira/browse/GERONIMO-2295
> - For a web app, if the security url-patterns don't exactly match the
> servlet-mapping url-patterns, we apply no security at all.  Code to
> reproduce available.  Alan has claimed this issue.


Though a work around exists, this should definitely be fixed ASAP.

http://issues.apache.org/jira/browse/GERONIMO-1053
> - Likely not still a problem (reported against M5), but if it is, it
> sounds serious.
>
> There are a large number of other issues out there in the "security"
> category, but I don't think they're all as urgent (e.g. GEORNIMO-1747,
> GERONIMO-2274, GERONIMO-2275, and GERONIMO-2279 probably ought to be
> addressed in 1.1.2 but I don't think need to hold up 1.1.1).
>
> Thanks,
>      Aaron
>
> On 8/8/06, Matt Hogstrom <matt@hogstrom.org> wrote:
> > 1.1.1 is in a form that we can get ready to release it.  I was talking
> with Aaron and he mentioned
> > that there were some security issues he was concerned about.  I would
> like to use this thread to
> > identify any issues that should be considered show stoppers and make the
> decision on how to move
> > forward.
> >
> > Please use this thread to provide that information.  What I think we'll
> need to make an appropriate
> > assessement is:
> >
> > Issue Description
> > How long have we had it?  (has it existed in earlier releases and we
> knew it)
> > Exposure
> > JIRA issue number tracking the issue.
> >
> > Please provide your input as quickly as possible so we can assess how to
> proceed with 1.1.1.
> >
> > Thanks.
> >
>

Mime
View raw message