tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: UDP fails, but doesn't throw a SecurityException
Date Wed, 24 Jun 2009 21:57:01 GMT
Hash: SHA1


On 6/24/2009 5:17 PM, Christopher Piggott wrote:
>>> Here's my question: if this was failing, why didn't it throw a
>>> SecurityException?  It would have been less challenging to figure out
>>> what was going on had there been one.
>> Ask your Java vendor. :)
>> There is no Tomcat code there.
> Really?  I guess I didn't realize that.  I figured the security was
> mainly implemented by the classloaders provided by tomcat.

Nope, the security is generally provided by the component that provides
the service (in your case, UDP sockets).

You can see in the source from Sun (for 1.5.0, at least), the code for
DatagramSocket.receive looks like this:

SecurityManager security = System.getSecurityManager();
if (security != null) {
    while(true) {
        String peekAd = null;
        int peekPort = 0;
        // peek at the packet to see who it is from.
        if (!oldImpl) {
            // We can use the new peekData() API
            DatagramPacket peekPacket = new DatagramPacket(new byte[1], 1);
            peekPort = getImpl().peekData(peekPacket);
            peekAd = peekPacket.getAddress().getHostAddress();
        } else {
            InetAddress adr = new InetAddress();
            peekPort = getImpl().peek(adr);
            peekAd = adr.getHostAddress();
        try {
            security.checkAccept(peekAd, peekPort);
            // security check succeeded - so now break
            // and recv the packet.
        } catch (SecurityException se) {
            // Throw away the offending packet by consuming
            // it in a tmp buffer.
            DatagramPacket tmp = new DatagramPacket(new byte[1], 1);

            // silently discard the offending packet
            // and continue: unknown/malicious
            // entities on nets should not make
            // runtime throw security exception and
            // disrupt the applet by sending random
            // datagram packets.
    } // end of while

You can see that SecurityExceptions are silently ignored in here.
Perhaps a newer version of the JRE includes a smarter implementation.

You can always write some code to do the check yourself: the code to do
it is right there in the code above. In your case, though, you would
propagate the exception instead of stupidly swallowing it :)

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message