[
https://issues.apache.org/jira/browse/KARAF-4208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4208:
----------------------------------------
Description:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis of the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on
line 215, which could cause the program to overlook unexpected states and
conditions. In this case an authentication has failed and the attempt to
respond to the client and let them know has also failed. The comment indicates
that nothing can be done about the problem but the issue should be logged for
further investigation or forensics purposes.
File:
webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215
JaasSecurityProvider.java, lines 207-218:
{code}
207 // request authentication
208 try
209 {
210 response.setHeader( HEADER_WWW_AUTHENTICATE,
AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212 response.setContentLength( 0 );
213 response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217 // failed sending the response ... cannot do anything about it
218 }
{code}
was:
HP Fortify SCA and SciTools Understand were used to perform an application
security analysis of the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on
line 215, which could cause the program to overlook unexpected states and
conditions. In this case an authentication has failed and the attempt to
respond to the client and let them know has also failed. The comment indicates
that nothing can be done about the problem but the issue should be logged for
further investigation or forensics purposes.
File:
webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215
JaasSecurityProvider.java, lines 207-218:
207 // request authentication
208 try
209 {
210 response.setHeader( HEADER_WWW_AUTHENTICATE,
AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212 response.setContentLength( 0 );
213 response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217 // failed sending the response ... cannot do anything about it
218 }
> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
> Key: KARAF-4208
> URL: https://issues.apache.org/jira/browse/KARAF-4208
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis of the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception
> on line 215, which could cause the program to overlook unexpected states and
> conditions. In this case an authentication has failed and the attempt to
> respond to the client and let them know has also failed. The comment
> indicates that nothing can be done about the problem but the issue should be
> logged for further investigation or forensics purposes.
> File:
> webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 215
> JaasSecurityProvider.java, lines 207-218:
> {code}
> 207 // request authentication
> 208 try
> 209 {
> 210 response.setHeader( HEADER_WWW_AUTHENTICATE,
> AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
> 211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
> 212 response.setContentLength( 0 );
> 213 response.flushBuffer();
> 214 }
> 215 catch ( IOException ioe )
> 216 {
> 217 // failed sending the response ... cannot do anything about it
> 218 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
