Re: order of ACEs changed

Thu, 14 Aug 2003 12:42:55 -0700 

Hi Ingo,

I'm using the slidestore.mysql.MySQLDescriptorsStore.

I found out that while I'm using always the same order of ACE's in
aclMethod (wich has an ACE-Array as Param!)  the order of the ACEs I'm
retrieving from the Server differ sometimes! I don't know what else is
going on the serverside...



Am Mit, 2003-08-13 um 15.33 schrieb Ingo Brunberg:
> Sorry if I am a bit naive. But what store do you use for descriptors?
> 
> I wonder where in the JDBC stores the order of the ACEs is
> saved/enforced. If you do a SELECT on permissions, is there any
> guaranty that you receive the ACEs in a particular order? If not, this
> would indeed be a big, big security hole, which I cannot believe to
> not have been encountered before.
> 
> Regards,
> Ingo
> 
> > Strange behaviour!
> > 
> > After setting the ACL with WebdavResource.aclMethod the ACL-Info shows
> > the correct settings and the server acts as expected:
> > 
> > Subject                        Action      Inheritable    Deny=20
> > /files/users/slideadmin        /actions    true           false
> > /files/users/ockenfeld         /actions    true           false
> > +/files/users/groups/12200963  /actions    true           false
> > /files/users                   /actions    true           true
> > 
> > But in some cases the order of the ACEs changes(I don't know why) and
> > the server denies access to everybody!
> > 
> > Subject                        Action      Inheritable    Deny=20
> > /files/users                   /actions    true           true
> > +/files/users/groups/12200963  /actions    true           false=20
> > /files/users/ockenfeld         /actions    true           false=20
> > /files/users/slideadmin        /actions    true           false=20
> > 
> > 
> > Does anybody know, whats going on here?!?
> > 
> > I'm using slide from 21-04-2003 on JBoss 3.2.1 with a MySQL-DB
> > and I have got a big security-problem...
> > 
> > Please help!
> > 
> > Regards
> > Marc
> > 
> > 
> > --=20
> > 
> > 
> > Marc Sommer                             I::Dev
> > +49 721 91374-364                       Schlund + Partner AG
> > PGP Key-ID: 0743ED19                    http://www.schlund.de
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 
> 
-- 


Marc Sommer                             I::Dev
+49 721 91374-364                       Schlund + Partner AG
PGP Key-ID: 0743ED19                    http://www.schlund.de

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Reply via email to