Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-3537

Invalid use shutdown authentication checks in NetworkServerControlImpl.directShutdown()

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10.4.1.3
    • Component/s: Network Server
    • Labels:
      None

      Description

      If ClientThread hits an SSLException exception it will call NetworkServerControlImpl.directShutdown().

      DERBY-2109 added privilege checking to directShutdown() that includes authentication.

      I can't see how this call by ClientThread can be valid. Authentication is not required to start the network server, thus a NetworkServerControl with no user,password may be used and thus passed onto directShutdown() failing authentication and then failing to perform the failed shutdown?

      I think the error was adding the privilege check in DERBY-2109, it looks like this method is for use only within the network server (actually this is the only use of it), maybe the correct security mechanism would have been to make the method package private?

        Attachments

        1. DERBY-3537-01.diff
          1 kB
          Martin Zaun
        2. DERBY-3537-01.stat
          0.1 kB
          Martin Zaun

          Activity

            People

            • Assignee:
              mzaun Martin Zaun
              Reporter:
              djd Daniel John Debrunner
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: