[GERONIMO-643] transport guarantees on UDP not always enforced (at least w/jetty) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0-M3
Fix Version/s: None
Component/s: security
Labels:
None

Description

The UserDataPermission for a request on an unprotected socket is constructed erroneously with a transport guarantee of "N/A" rather than "NONE" (0 rather than 3). As a result, the UDP permission checks succeed rather than fail if url pattern and method match.

I believe but have not checked that this results in insecure access to resources that are supposed to be under a transport guarantee only for unchecked resources. I believe that resources associated with a role have the transport guarantee at least partially enforced by the login mechanism.

I have not looked into what the tomcat integration does in this situation.

Attachments

Activity

People

Assignee:: David Jencks

Reporter:: David Jencks

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 08/May/05 15:38

Updated:: 07/Aug/06 15:05

Resolved:: 18/May/05 08:49