[KARAF-4208] Poor Error Handling: Empty Catch Block - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 4.0.3
Fix Version/s: None
Component/s: None
Labels:
None

Description

HP Fortify SCA and SciTools Understand were used to perform an application security analysis of the karaf source code.

The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which could cause the program to overlook unexpected states and conditions. In this case an authentication has failed and the attempt to respond to the client and let them know has also failed. The comment indicates that nothing can be done about the problem but the issue should be logged for further investigation or forensics purposes.

File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215

JaasSecurityProvider.java, lines 207-218:

207 // request authentication
208 try
209 {
210     response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211     response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212     response.setContentLength( 0 );
213     response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217     // failed sending the response ... cannot do anything about it
218 }

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Eduardo Aguinaga

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/Dec/15 16:10

Updated:: 20/Oct/16 19:38