[
http://issues.apache.org/jira/browse/GERONIMO-643?page=comments#action_64697 ]
David Jencks commented on GERONIMO-643:
---------------------------------------
revision 169130 provides at least a partial fix for this problem by making sure the UDP never has a transport guarantee of "N/A". I'd prefer additional review of this area before closing the issue.
> transport guarantees on UDP not always enforced (at least w/jetty)
> ------------------------------------------------------------------
>
> Key: GERONIMO-643
> URL:
http://issues.apache.org/jira/browse/GERONIMO-643> Project: Geronimo
> Type: Bug
> Components: security
> Versions: 1.0-M3
> Reporter: David Jencks
> Assignee: David Jencks
>
> The UserDataPermission for a request on an unprotected socket is constructed erroneously with a transport guarantee of "N/A" rather than "NONE" (0 rather than 3). As a result, the UDP permission checks succeed rather than fail if url pattern and method match.
> I believe but have not checked that this results in insecure access to resources that are supposed to be under a transport guarantee only for unchecked resources. I believe that resources associated with a role have the transport guarantee at least partially enforced by the login mechanism.
> I have not looked into what the tomcat integration does in this situation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Locked
