Kevan Miller wrote:
SECURITY
http://issues.apache.org/jira/browse/GERONIMO-2294
- For a security realm with multiple login modules, we do not handle
the JAAS Control Flags correctly (e.g. we do not call the login
modules using the correct logic). Code to reproduce available. Alan
had claimed a predecessor to this issue; I'm not sure if he's planning
on working on this one.
Does this problem allow unauthorized/unauthenticated access to secured
resources? If not, then I wouldn't categorize it as a BLOCKER.
http://issues.apache.org/jira/browse/GERONIMO-2295
- For a web app, if the security url-patterns don't exactly match the
servlet-mapping url-patterns, we apply no security at all. Code to
reproduce available. Alan has claimed this issue.
That certainly seems like a must-fix BLOCKER to me...
I agree. While not in the same class as a remote root exploit, this is still potentially very serious (I say
'potentially' because I don't know the precise details of the defect).
Bill
