karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-4207) Poor Error Handling: Empty Catch Block
Date Mon, 27 Jun 2016 10:25:52 GMT

    [ https://issues.apache.org/jira/browse/KARAF-4207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15350761#comment-15350761
] 

ASF subversion and git services commented on KARAF-4207:
--------------------------------------------------------

Commit f9a508249ecb8d01a60ece5217b98c47efbee0ba in karaf's branch refs/heads/karaf-4.0.x from
[~chris@die-schneider.net]
[ https://git-wip-us.apache.org/repos/asf?p=karaf.git;h=f9a5082 ]

[KARAF-4207] Logging errors


> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
>                 Key: KARAF-4207
>                 URL: https://issues.apache.org/jira/browse/KARAF-4207
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>            Assignee: Christian Schneider
>             Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis
on the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception on line 199,
which could cause the program to overlook unexpected states and conditions. In this case the
attempt to authenticate is ignored which is never a good idea.
> File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 199
> JaasSecurityProvider.java, lines 155-205:
> {code}
> 155 public boolean authenticate( HttpServletRequest request, HttpServletResponse response
)
> 156 {
> 157     // Return immediately if the header is missing
> 158     String authHeader = request.getHeader( HEADER_AUTHORIZATION );
> 159     if ( authHeader != null && authHeader.length() > 0 )
> 160     {
> . . .
> 166         if ( blank > 0 )
> 167         {
> . . .
> 171             // Check whether authorization type matches
> 172             if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC ) )
> 173             {
> 174                 try
> 175                 {
> . . .
> 181                     // authenticate
> 182                     Subject subject = doAuthenticate( username, password );
> 183                     if ( subject != null )
> 184                     {
> . . .
> 198                 }
> 199                 catch ( Exception e )
> 200                 {
> 201                     // Ignore
> 202                 }
> 203             }
> 204         }
> 205     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message