Daniil Kirilyuk created QPID-8553:
-------------------------------------
Summary: [Broker-J] HP Fortify: Weak SecurityManager Check:
Overridable Method
Key: QPID-8553
URL: https://issues.apache.org/jira/browse/QPID-8553
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Affects Versions: qpid-java-broker-8.0.5
Reporter: Daniil Kirilyuk
HP Fortify complains that classes defining security may be overridden by
sub-classes and thereby by-passing the security features:
broker-plugins/access-control/src/main/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
Line 58 newToken() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Line 75 authorise() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
Line 1022 getConnectionMetaData() - Non-final methods that perform security
checks may be overridden in ways that bypass security checks.
Line 1046 getGroups() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/management-http/src/main/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
Line 79 doGet() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/amqp-0-8-protocol/org/apache/qpid/server/protocol/v0_8/AMQPConnection_0_8Impl.java
Line 699 readerIdle() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Executes privileged action.
broker-plugins/logging-logback/src/main/org/apache/qpid/server/logging/logback/ConnectionAndUserPredicate.java
Line 43 evaluate() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/amqp-1-0-protocol/src/main/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java
Line 444 receive() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Line 1269 readerIdle() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Line 1340 receivedComplete() - Non-final methods that perform security checks
may be overridden in ways that bypass security checks.
broker-plugins/amqp-0-8-protocol/src/main/org/apache/qpid/server/protocol/v0_8/BrokerDecoder.java
Line 78 processAMQPFrames() - Non-final methods that perform security checks
may be overridden in ways that bypass security checks.
Executes privileged action.
broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java
Line 68 newToken() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerAssembler.java
Line 72 received() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Executes privileged action.
broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/AMQPConnection_0_10Impl.java
Line 165 readerIdle() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Line 182 closed() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
Executes privileged action.
broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ProxyMessageSource.java
Line 152 addConsumer() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
Line 172 getProxyNode() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/logging-logback/src/main/java/org/apache/qpid/server/logging/logback/PrincipalLogEventFilter.java
Line 43 decide() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
Line 303 receivedComplete() - Non-final methods that perform security checks
may be overridden in ways that bypass security checks.
broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
Line 359 onOpen() - Non-final methods that perform security checks may be
overridden in ways that bypass security checks.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
