[
https://issues.apache.org/jira/browse/KARAF-4207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré updated KARAF-4207:
----------------------------------------
Fix Version/s: 4.0.6
4.1.0
> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
> Key: KARAF-4207
> URL: https://issues.apache.org/jira/browse/KARAF-4207
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
> Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application
> security analysis on the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception
> on line 199, which could cause the program to overlook unexpected states and
> conditions. In this case the attempt to authenticate is ignored which is
> never a good idea.
> File:
> webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 199
> JaasSecurityProvider.java, lines 155-205:
> {code}
> 155 public boolean authenticate( HttpServletRequest request,
> HttpServletResponse response )
> 156 {
> 157 // Return immediately if the header is missing
> 158 String authHeader = request.getHeader( HEADER_AUTHORIZATION );
> 159 if ( authHeader != null && authHeader.length() > 0 )
> 160 {
> . . .
> 166 if ( blank > 0 )
> 167 {
> . . .
> 171 // Check whether authorization type matches
> 172 if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC )
> )
> 173 {
> 174 try
> 175 {
> . . .
> 181 // authenticate
> 182 Subject subject = doAuthenticate( username, password
> );
> 183 if ( subject != null )
> 184 {
> . . .
> 198 }
> 199 catch ( Exception e )
> 200 {
> 201 // Ignore
> 202 }
> 203 }
> 204 }
> 205 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
