karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eduardo Aguinaga (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KARAF-4207) Poor Error Handling: Empty Catch Block
Date Tue, 15 Dec 2015 16:04:46 GMT
Eduardo Aguinaga created KARAF-4207:
---------------------------------------

             Summary: Poor Error Handling: Empty Catch Block
                 Key: KARAF-4207
                 URL: https://issues.apache.org/jira/browse/KARAF-4207
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.

The method authenticate() in JaasSecurityProvider.java ignores an exception on line 199, which
could cause the program to overlook unexpected states and conditions. In this case the attempt
to authenticate is ignored which is never a good idea.

File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 199

JaasSecurityProvider.java, lines 155-205:
155 public boolean authenticate( HttpServletRequest request, HttpServletResponse response
)
156 {
157     // Return immediately if the header is missing
158     String authHeader = request.getHeader( HEADER_AUTHORIZATION );
159     if ( authHeader != null && authHeader.length() > 0 )
160     {
. . .
166         if ( blank > 0 )
167         {
. . .
171             // Check whether authorization type matches
172             if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC ) )
173             {
174                 try
175                 {
. . .
181                     // authenticate
182                     Subject subject = doAuthenticate( username, password );
183                     if ( subject != null )
184                     {
. . .
198                 }
199                 catch ( Exception e )
200                 {
201                     // Ignore
202                 }
203             }
204         }
205     }





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message