[
http://issues.apache.org/jira/browse/JCR-464?page=comments#action_12416496 ]
Edgar Poce commented on JCR-464:
--------------------------------
sure, but an anonymous session can write and make use of the transient space,
IMHO it yields a security issue.
e.g. if the CRX demo used the same approach than jackrabbit an anonymous user
could connect to the demo and create nodes and properties without saving until
the jvm runs out of memory.
code example to kill the process:
RepositoryConfig c = RepositoryConfig.create(
"/temp/jackrabbit/repository.xml", "/temp/jackrabbit");
Repository r = RepositoryImpl.create(c);
Session s = r.login();
for (int i = 0; i < 1000000; i++) {
Node n = s.getRootNode().addNode("node" + i);
n.setProperty("property" + i, "property" + i);
}
> Prevent out of memory errors
> ----------------------------
>
> Key: JCR-464
> URL: http://issues.apache.org/jira/browse/JCR-464
> Project: Jackrabbit
> Type: Improvement
> Components: core
> Reporter: Edgar Poce
> Priority: Minor
>
> Even an anonymous session can kill the jvm, any session can perform write
> actions untill it kills the process by causing an outofmemoryexception.
> I think it would be good to add a configuration parameter to specify the max
> size of the transient ISMs and the max number of sessions.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
