[
https://issues.apache.org/jira/browse/DERBY-3532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kathey Marsden updated DERBY-3532:
----------------------------------
Issue & fix info: (was: High Value Fix)
Unchecking HVF. Looks like this is a sticky issue with possible compatibility
concerns
> Invalid & possibly skipped authentication handling when shutting down the
> network server.
> ------------------------------------------------------------------------------------------
>
> Key: DERBY-3532
> URL: https://issues.apache.org/jira/browse/DERBY-3532
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Affects Versions: 10.4.1.3, 10.5.1.1
> Reporter: Daniel John Debrunner
> Priority: Critical
> Labels: derby_triage10_9
> Attachments: DERBY-3532.diff, ReproDerby3532.java, ReproDerby3532.java
>
>
> In NetworkServerControlImpl.checkShutdownPrivileges() code fetches the
> internal authentication service to perform user authentication.
> However if no such authentication service is found (null is returned) then
> authentication is bypassed, this has the potential of being a security hole.
> The discussion in DERBY-2109 indicated that even with authentication NONE,
> there is still an internal authentication service, thus null is not a valid
> return when getting the internal authentication service. A secure fail safe
> system would be to not bypass authentication if null is returned.
> I tried removing the check for null in the method and that lead to
> NullPointerExceptions. This means that something wrong is going on and very
> possibly no authentication checks are actually being made when shutting down
> the network server.
> The null return might be due to checking the authentication after Derby has
> been shutdown.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
