[
https://issues.apache.org/jira/browse/GEODE-3249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16159111#comment-16159111
]
ASF subversion and git services commented on GEODE-3249:
--------------------------------------------------------
Commit 0b881b515eb1dcea974f0f5c1b40da03d42af9cf in geode's branch
refs/heads/release/1.2.1 from [~bschuchardt]
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=0b881b5 ]
GEODE-3249 Validate internal client/server messages
This change leaves the security hole in place but allows you to plug
it by setting the system property
geode.disallow-internal-messages-without-credentials=true
Clients must be upgraded to the release containing this change if you
set this system property to true and client/server authentication is
enabled. Otherwise client messages to register PDX types or
Instantiators will be rejected by the servers.
New tests have been added to perform backward-compatibility testing
with the old security implementation and the internal message command
classes have been modified to perform validation of credentials if
the system property is set to true.
(cherry picked from commit abbb359fe59ea3e74462fe48890918108a0edda3)
> Validate internal client/server messages
> ----------------------------------------
>
> Key: GEODE-3249
> URL: https://issues.apache.org/jira/browse/GEODE-3249
> Project: Geode
> Issue Type: Bug
> Components: docs, messaging
> Reporter: Anthony Baker
> Assignee: Bruce Schuchardt
> Fix For: 1.3.0, 1.2.1
>
>
> Some message types can not be invoked directly by an end user. For
> validation purposes, we should treat these messages the same way we treat
> normal messages.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
