Eduardo Aguinaga created KARAF-4208:
---------------------------------------
Summary: Poor Error Handling: Empty Catch Block
Key: KARAF-4208
URL: https://issues.apache.org/jira/browse/KARAF-4208
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis of the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on
line 215, which could cause the program to overlook unexpected states and
conditions. In this case an authentication has failed and the attempt to
respond to the client and let them know has also failed. The comment indicates
that nothing can be done about the problem but the issue should be logged for
further investigation or forensics purposes.
File:
webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215
JaasSecurityProvider.java, lines 207-218:
207 // request authentication
208 try
209 {
210 response.setHeader( HEADER_WWW_AUTHENTICATE,
AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212 response.setContentLength( 0 );
213 response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217 // failed sending the response ... cannot do anything about it
218 }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
