Uploaded image for project: 'Geronimo'
  1. Geronimo
  2. GERONIMO-643

transport guarantees on UDP not always enforced (at least w/jetty)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0-M3
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      The UserDataPermission for a request on an unprotected socket is constructed erroneously with a transport guarantee of "N/A" rather than "NONE" (0 rather than 3). As a result, the UDP permission checks succeed rather than fail if url pattern and method match.

      I believe but have not checked that this results in insecure access to resources that are supposed to be under a transport guarantee only for unchecked resources. I believe that resources associated with a role have the transport guarantee at least partially enforced by the login mechanism.

      I have not looked into what the tomcat integration does in this situation.

        Attachments

          Activity

            People

            • Assignee:
              djencks David Jencks
              Reporter:
              djencks David Jencks
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: