[ 
https://issues.apache.org/jira/browse/KARAF-4207?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré updated KARAF-4207:
----------------------------------------
    Fix Version/s: 4.0.6
                   4.1.0

> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
>                 Key: KARAF-4207
>                 URL: https://issues.apache.org/jira/browse/KARAF-4207
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>             Fix For: 4.1.0, 4.0.6
>
>
> HP Fortify SCA and SciTools Understand were used to perform an application 
> security analysis on the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception 
> on line 199, which could cause the program to overlook unexpected states and 
> conditions. In this case the attempt to authenticate is ignored which is 
> never a good idea.
> File: 
> webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 199
> JaasSecurityProvider.java, lines 155-205:
> {code}
> 155 public boolean authenticate( HttpServletRequest request, 
> HttpServletResponse response )
> 156 {
> 157     // Return immediately if the header is missing
> 158     String authHeader = request.getHeader( HEADER_AUTHORIZATION );
> 159     if ( authHeader != null && authHeader.length() > 0 )
> 160     {
> . . .
> 166         if ( blank > 0 )
> 167         {
> . . .
> 171             // Check whether authorization type matches
> 172             if ( authType.equalsIgnoreCase( AUTHENTICATION_SCHEME_BASIC ) 
> )
> 173             {
> 174                 try
> 175                 {
> . . .
> 181                     // authenticate
> 182                     Subject subject = doAuthenticate( username, password 
> );
> 183                     if ( subject != null )
> 184                     {
> . . .
> 198                 }
> 199                 catch ( Exception e )
> 200                 {
> 201                     // Ignore
> 202                 }
> 203             }
> 204         }
> 205     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to