[
https://issues.apache.org/jira/browse/KARAF-4207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4207:
----------------------------------------
Description:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on
line 199, which could cause the program to overlook unexpected states and
conditions. In this case the attempt to authenticate is ignored which is never
a good idea.
File:
webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 199
JaasSecurityProvider.java, lines 155-205:
{code}
155 public boolean authenticate( HttpServletRequest request,
HttpServletResponse response )
156 {
157 // Return immediately if the header is missing
158 String authHeader = request.getHeader( HEADER_AUTHORIZATION );
159 if ( authHeader != null && authHeader.length() > 0 )
160 {
. . .
166 if ( blank > 0 )
167 {
. . .
171 // Check whether authorization type matches
172 if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC ) )
173 {
174 try
175 {
. . .
181 // authenticate
182 Subject subject = doAuthenticate( username, password );
183 if ( subject != null )
184 {
. . .
198 }
199 catch ( Exception e )
200 {
201 // Ignore
202 }
203 }
204 }
205 }
{code}
was:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis on the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on
line 199, which could cause the program to overlook unexpected states and
conditions. In this case the attempt to authenticate is ignored which is never
a good idea.
File:
webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 199
JaasSecurityProvider.java, lines 155-205:
155 public boolean authenticate( HttpServletRequest request,
HttpServletResponse response )
156 {
157 // Return immediately if the header is missing
158 String authHeader = request.getHeader( HEADER_AUTHORIZATION );
159 if ( authHeader != null && authHeader.length() > 0 )
160 {
. . .
166 if ( blank > 0 )
167 {
. . .
171 // Check whether authorization type matches
172 if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC ) )
173 {
174 try
175 {
. . .
181 // authenticate
182 Subject subject = doAuthenticate( username, password );
183 if ( subject != null )
184 {
. . .
198 }
199 catch ( Exception e )
200 {
201 // Ignore
202 }
203 }
204 }
205 }
> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
> Key: KARAF-4207
> URL: https://issues.apache.org/jira/browse/KARAF-4207
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception
> on line 199, which could cause the program to overlook unexpected states and
> conditions. In this case the attempt to authenticate is ignored which is
> never a good idea.
> File:
> webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 199
> JaasSecurityProvider.java, lines 155-205:
> {code}
> 155 public boolean authenticate( HttpServletRequest request,
> HttpServletResponse response )
> 156 {
> 157 // Return immediately if the header is missing
> 158 String authHeader = request.getHeader( HEADER_AUTHORIZATION );
> 159 if ( authHeader != null && authHeader.length() > 0 )
> 160 {
> . . .
> 166 if ( blank > 0 )
> 167 {
> . . .
> 171 // Check whether authorization type matches
> 172 if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC )
> )
> 173 {
> 174 try
> 175 {
> . . .
> 181 // authenticate
> 182 Subject subject = doAuthenticate( username, password
> );
> 183 if ( subject != null )
> 184 {
> . . .
> 198 }
> 199 catch ( Exception e )
> 200 {
> 201 // Ignore
> 202 }
> 203 }
> 204 }
> 205 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
