Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
4.0.3
-
None
-
None
-
None
Description
HP Fortify SCA and SciTools Understand were used to perform an application security analysis of the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which could cause the program to overlook unexpected states and conditions. In this case an authentication has failed and the attempt to respond to the client and let them know has also failed. The comment indicates that nothing can be done about the problem but the issue should be logged for further investigation or forensics purposes.
File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215
JaasSecurityProvider.java, lines 207-218:
207 // request authentication 208 try 209 { 210 response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" ); 211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED ); 212 response.setContentLength( 0 ); 213 response.flushBuffer(); 214 } 215 catch ( IOException ioe ) 216 { 217 // failed sending the response ... cannot do anything about it 218 }