[ https://issues.apache.org/jira/browse/GEODE-3249?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16173587#comment-16173587 ]
ASF subversion and git services commented on GEODE-3249: -------------------------------------------------------- Commit 0b881b515eb1dcea974f0f5c1b40da03d42af9cf in geode's branch refs/heads/develop from [~bschuchardt] [ https://gitbox.apache.org/repos/asf?p=geode.git;h=0b881b5 ] GEODE-3249 Validate internal client/server messages This change leaves the security hole in place but allows you to plug it by setting the system property geode.disallow-internal-messages-without-credentials=true Clients must be upgraded to the release containing this change if you set this system property to true and client/server authentication is enabled. Otherwise client messages to register PDX types or Instantiators will be rejected by the servers. New tests have been added to perform backward-compatibility testing with the old security implementation and the internal message command classes have been modified to perform validation of credentials if the system property is set to true. (cherry picked from commit abbb359fe59ea3e74462fe48890918108a0edda3) > Validate internal client/server messages > ---------------------------------------- > > Key: GEODE-3249 > URL: https://issues.apache.org/jira/browse/GEODE-3249 > Project: Geode > Issue Type: Bug > Components: docs, messaging > Reporter: Anthony Baker > Assignee: Bruce Schuchardt > Fix For: 1.3.0, 1.2.1 > > > Some message types can not be invoked directly by an end user. For > validation purposes, we should treat these messages the same way we treat > normal messages. -- This message was sent by Atlassian JIRA (v6.4.14#64029)