[
https://issues.apache.org/jira/browse/KARAF-4208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4208:
----------------------------------------
Fix Version/s: 4.0.6
4.1.0
> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
> Key: KARAF-4208
> URL: https://issues.apache.org/jira/browse/KARAF-4208
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis of the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception
> on line 215, which could cause the program to overlook unexpected states and
> conditions. In this case an authentication has failed and the attempt to
> respond to the client and let them know has also failed. The comment
> indicates that nothing can be done about the problem but the issue should be
> logged for further investigation or forensics purposes.
> File:
> webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 215
> JaasSecurityProvider.java, lines 207-218:
> {code}
> 207 // request authentication
> 208 try
> 209 {
> 210 response.setHeader( HEADER_WWW_AUTHENTICATE,
> AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
> 211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
> 212 response.setContentLength( 0 );
> 213 response.flushBuffer();
> 214 }
> 215 catch ( IOException ioe )
> 216 {
> 217 // failed sending the response ... cannot do anything about it
> 218 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
