geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: 1.1.1 - Ready or not ? Soliciting input
Date Tue, 08 Aug 2006 16:34:52 GMT

On Aug 8, 2006, at 12:08 PM, Aaron Mulder wrote:

> Here are the issues that bother me most in 1.1.1.  I believe they are
> all also issues in 1.1.
> - Redeploy broken when module ID does not include a type (patch  
> available)
> - Redeploy broken when module ID does not include a version and app
> uses JNDI (patch available)
> I also just found a deploy problem with web apps with a plan with no
> environment, but I haven't investigated much yet.

Why haven't the patches been committed? They need a Release Manager  
go ahead? I certainly wouldn't classify either problem as a BLOCKER.  
They could be fixed in 1.1.x.

> - For a security realm with multiple login modules, we do not handle
> the JAAS Control Flags correctly (e.g. we do not call the login
> modules using the correct logic).  Code to reproduce available. Alan
> had claimed a predecessor to this issue; I'm not sure if he's planning
> on working on this one.

Does this problem allow unauthorized/unauthenticated access to  
secured resources? If not, then I wouldn't categorize it as a BLOCKER.

> - For a web app, if the security url-patterns don't exactly match the
> servlet-mapping url-patterns, we apply no security at all.  Code to
> reproduce available.  Alan has claimed this issue.

That certainly seems like a must-fix BLOCKER to me...

> - Likely not still a problem (reported against M5), but if it is, it
> sounds serious.

Even if it does still exist, doesn't seem like a BLOCKER.

> There are a large number of other issues out there in the "security"
> category, but I don't think they're all as urgent (e.g. GEORNIMO-1747,
> GERONIMO-2274, GERONIMO-2275, and GERONIMO-2279 probably ought to be
> addressed in 1.1.2 but I don't think need to hold up 1.1.1).
> Thanks,
>     Aaron
> On 8/8/06, Matt Hogstrom <> wrote:
>> 1.1.1 is in a form that we can get ready to release it.  I was  
>> talking with Aaron and he mentioned
>> that there were some security issues he was concerned about.  I  
>> would like to use this thread to
>> identify any issues that should be considered show stoppers and  
>> make the decision on how to move
>> forward.
>> Please use this thread to provide that information.  What I think  
>> we'll need to make an appropriate
>> assessement is:
>> Issue Description
>> How long have we had it?  (has it existed in earlier releases and  
>> we knew it)
>> Exposure
>> JIRA issue number tracking the issue.
>> Please provide your input as quickly as possible so we can assess  
>> how to proceed with 1.1.1.
>> Thanks.

View raw message