geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <>
Subject Re: Geronimo 2.0 Release suspended due to security issue found before release
Date Tue, 14 Aug 2007 02:12:03 GMT

On Aug 13, 2007, at 9:27 PM, David Jencks wrote:

> I think I've fixed GERONIMO-3404 and GERONIMO-3406 in trunk, rev  
> 565599.  It might be a good idea for this to get a review before we  
> port it to branches/2.0 and possibly branches/2.0.x.

I'm looking things over now... May take me a bit... Easy to get this  
logic a bit twisted...

> I haven't decided how to fix GERONIMO-3407 yet, and could be talked  
> out of it for 2.0.1. The problem would manifest itself as geronimo  
> not working if anyone tried to  use a login module with REQUISITE  
> or (I think) SUFFICIENT flags.  I don't think there's any security  
> exposure, it just that you effectively couldn't log in with such a  
> login configuration.

Hmm. I was thinking the big issue was with the SUFFICIENT flag -- if  
a SUFFICIENT LoginModule succeeds, authentication does not proceed  
down the chain of LoginModules. Thus the  
SubjectLoginRegistrationModule might not be invoked.

Likewise, if a REQUISITE LoginModule fails, the  
SubjectLoginRegistrationModule wouldn't be invoked. Since the login  
won't succeed, this doesn't seem like a big issue. Am I missing  

> On a completely unrelated issue I can't build modules/geronimo-axis- 
> builder in trunk as part of the main build, I get a complaint from  
> javac.  I don't have problems building it by itself.  Anyone else  
> see this?

I'm not having a problem...


View raw message