Invalid & possibly skipped authentication handling when shutting down the
network server.
------------------------------------------------------------------------------------------
Key: DERBY-3532
URL: https://issues.apache.org/jira/browse/DERBY-3532
Project: Derby
Issue Type: Bug
Components: Network Server, Security
Affects Versions: 10.4.0.0, 10.5.0.0
Reporter: Daniel John Debrunner
Priority: Critical
In NetworkServerControlImpl.checkShutdownPrivileges() code fetches the internal
authentication service to perform user authentication.
However if no such authentication service is found (null is returned) then
authentication is bypassed, this has the potential of being a security hole.
The discussion in DERBY-2109 indicated that even with authentication NONE,
there is still an internal authentication service, thus null is not a valid
return when getting the internal authentication service. A secure fail safe
system would be to not bypass authentication if null is returned.
I tried removing the check for null in the method and that lead to
NullPointerExceptions. This means that something wrong is going on and very
possibly no authentication checks are actually being made when shutting down
the network server.
The null return might be due to checking the authentication after Derby has
been shutdown.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
