geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Hogstrom <m...@hogstrom.org>
Subject Re: Merge GERONIMO-2313 into 1.1.1??
Date Fri, 18 Aug 2006 15:09:59 GMT
Jim,

Thanks for the bump.

Agony might have been more my state of mind than a good reflection of the discussion but I'll

summarize it here.

Note David Jencks comments below about how EJB security is broken in Geronimo.  We know it
doesn't 
work and for the life of me I'm not sure why in the voluminous number of tests executed to
certify 
Geronimo this simple test case is not included.  Nevertheless, it is a security issue and
given that 
  we are working through some legal questions over DTDs and XSDs as the release manager I
decided to 
let the change in due to the fact it is a security issue.

Thanks

Jim Jagielski wrote:
> Will there be a summary of the IRC discussion posted onlist?
> 
> On Aug 16, 2006, at 12:31 PM, Matt Hogstrom wrote:
> 
>> After agonizing over this on IRC let's put in 2313.  Close the door 
>> and start testing.
>>
>> David Jencks wrote:
>>> GERONIMO-2313 is a fairly serious security problem: basically ejb 
>>> security is totally broken when the ejb is called from a web app.
>>> I think this could be merged easily from the 1.1 branch into 1.1.1, 
>>> however it requires openejb changes as well.
>>> Alan suggested that since 1.1.1 is already delayed for security 
>>> problems we might want to  include this fix as well.
>>> I think this is a good idea but wait for Matt the release manager's 
>>> approval.
>>> thanks
>>> david jencks
>>
> 
> 
> 
> 

Mime
View raw message