You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Tomas Vavricka (Jira)" <ji...@apache.org> on 2022/11/11 12:23:00 UTC

[jira] [Closed] (QPID-8553) [Broker-J] HP Fortify: Weak SecurityManager Check: Overridable Method

     [ https://issues.apache.org/jira/browse/QPID-8553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tomas Vavricka closed QPID-8553.
--------------------------------

> [Broker-J] HP Fortify: Weak SecurityManager Check: Overridable Method
> ---------------------------------------------------------------------
>
>                 Key: QPID-8553
>                 URL: https://issues.apache.org/jira/browse/QPID-8553
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-8.0.5
>            Reporter: Daniil Kirilyuk
>            Priority: Minor
>             Fix For: qpid-java-broker-9.0.0
>
>
> HP Fortify complains that classes defining security may be overridden by sub-classes and thereby by-passing the security features:
> broker-plugins/access-control/src/main/org/apache/qpid/server/security/access/config/RuleBasedAccessControl.java
> Line 58 newToken() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Line 75 authorise() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-core/src/main/java/org/apache/qpid/server/model/BrokerImpl.java
> Line 1022 getConnectionMetaData() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Line 1046 getGroups() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/management-http/src/main/org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.java
> Line 79 doGet() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/amqp-0-8-protocol/org/apache/qpid/server/protocol/v0_8/AMQPConnection_0_8Impl.java
> Line 699 readerIdle() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Executes privileged action.
> broker-plugins/logging-logback/src/main/org/apache/qpid/server/logging/logback/ConnectionAndUserPredicate.java
> Line 43 evaluate() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/amqp-1-0-protocol/src/main/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java
> Line 444 receive() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Line 1269 readerIdle() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Line 1340 receivedComplete() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/amqp-0-8-protocol/src/main/org/apache/qpid/server/protocol/v0_8/BrokerDecoder.java
> Line 78 processAMQPFrames() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Executes privileged action.
> broker-core/src/main/java/org/apache/qpid/server/security/CompoundAccessControl.java
> Line 68 newToken() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/ServerAssembler.java
> Line 72 received() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Executes privileged action.
> broker-plugins/amqp-0-10-protocol/src/main/java/org/apache/qpid/server/protocol/v0_10/AMQPConnection_0_10Impl.java
> Line 165 readerIdle() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Line 182 closed() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> Executes privileged action.
> broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ProxyMessageSource.java
> Line 152 addConsumer() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/management-amqp/src/main/java/org/apache/qpid/server/management/amqp/ManagementAddressSpace.java
> Line 172 getProxyNode() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/logging-logback/src/main/java/org/apache/qpid/server/logging/logback/PrincipalLogEventFilter.java
> Line 43 decide() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-plugins/amqp-0-8-protocol/src/main/java/org/apache/qpid/server/protocol/v0_8/AMQChannel.java
> Line 303 receivedComplete() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.
> broker-core/src/main/java/org/apache/qpid/server/queue/AbstractQueue.java
> Line 359 onOpen() - Non-final methods that perform security checks may be overridden in ways that bypass security checks.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org