[ http://issues.apache.org/jira/browse/GERONIMO-643?page=comments#action_64697 ] David Jencks commented on GERONIMO-643: ---------------------------------------
revision 169130 provides at least a partial fix for this problem by making sure the UDP never has a transport guarantee of "N/A". I'd prefer additional review of this area before closing the issue. > transport guarantees on UDP not always enforced (at least w/jetty) > ------------------------------------------------------------------ > > Key: GERONIMO-643 > URL: http://issues.apache.org/jira/browse/GERONIMO-643 > Project: Geronimo > Type: Bug > Components: security > Versions: 1.0-M3 > Reporter: David Jencks > Assignee: David Jencks > > The UserDataPermission for a request on an unprotected socket is constructed > erroneously with a transport guarantee of "N/A" rather than "NONE" (0 rather > than 3). As a result, the UDP permission checks succeed rather than fail if > url pattern and method match. > I believe but have not checked that this results in insecure access to > resources that are supposed to be under a transport guarantee only for > unchecked resources. I believe that resources associated with a role have > the transport guarantee at least partially enforced by the login mechanism. > I have not looked into what the tomcat integration does in this situation. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
