Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8553

[Broker-J] HP Fortify: Weak SecurityManager Check: Overridable Method

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Reopened
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: qpid-java-broker-8.0.5
    • Fix Version/s: qpid-java-broker-9.0.0
    • Component/s: Broker-J
    • Labels:
      None

      Description

      HP Fortify complains that classes defining security may be overridden by sub-classes and thereby by-passing the security features:

      broker-plugins/access-control/src/main/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
      Line 58 newToken() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Line 75 authorise() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
      Line 1022 getConnectionMetaData() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Line 1046 getGroups() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/management-http/src/main/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
      Line 79 doGet() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/amqp-0-8-protocol/org/apache/qpid/server/protocol/v0_8/AMQPConnection_0_8Impl.java
      Line 699 readerIdle() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Executes privileged action.

      broker-plugins/logging-logback/src/main/org/apache/qpid/server/logging/logback/ConnectionAndUserPredicate.java
      Line 43 evaluate() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/amqp-1-0-protocol/src/main/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java
      Line 444 receive() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Line 1269 readerIdle() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Line 1340 receivedComplete() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/amqp-0-8-protocol/src/main/org/apache/qpid/server/protocol/v0_8/BrokerDecoder.java
      Line 78 processAMQPFrames() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Executes privileged action.

      broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java
      Line 68 newToken() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerAssembler.java
      Line 72 received() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Executes privileged action.

      broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/AMQPConnection_0_10Impl.java
      Line 165 readerIdle() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Line 182 closed() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
      Executes privileged action.

      broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ProxyMessageSource.java
      Line 152 addConsumer() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
      Line 172 getProxyNode() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/logging-logback/src/main/java/org/apache/qpid/server/logging/logback/PrincipalLogEventFilter.java
      Line 43 decide() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
      Line 303 receivedComplete() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

      broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
      Line 359 onOpen() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              daniel.kirilyuk Daniil Kirilyuk
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: