You are viewing a plain text version of this content. The canonical link for it is here.

Posted to soap-dev@xml.apache.org by Deane Sloan <De...@equinox.co.nz> on 2001/04/23 08:44:24 UTC

Security Issues with MimeUtils (getUniqueValue)

I noticed that the 2.1 implementation generates a security exception when
used from within an Applet in the JRE 1.3 plug-in.

It does so whilst retrieving the "user.name" system property: 

java.security.AccessControlException: access denied
(java.util.PropertyPermission user.name read) 	
at java.security.AccessControlContext.checkPermission(Unknown Source) 	
at java.security.AccessController.checkPermission(Unknown Source) 	
at java.lang.SecurityManager.checkPermission(Unknown Source) 	
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source) 	
at java.lang.System.getProperty(Unknown Source) 	
at org.apache.soap.util.mime.MimeUtils.getUniqueValue(MimeUtils.java:84)

at org.apache.soap.rpc.SOAPContext.setRootPart(SOAPContext.java:375)
...

Do we really need to access (and publish) the system property "user.name" as
a part of the unique string ID in the mime headers? 
It is interesting that the documentation states "// Unique string is
<hashcode>.<currentTime>.apache-soap.<suffix>" but adds the "user.name" and
host address in the implementation. 

Is requiring this information to be sent out for correct operation a bit
dubious? I am sure most application developers wouldn't be aware of this
exchange...

Best Regards,

Deane Sloan

Re: Security Issues with MimeUtils (getUniqueValue)

Posted by Wouter Cloetens <wo...@mind.be>.

Hrmpf. I wasn't aware of this problem. There's already another outstanding
issue with non-ASCII user IDs.

You're right. We don't need this. I just put it in because that's the way
JavaMail generated a unique ID too. I'll yank it out... Thanks for pointing
out the issue.

bfn, Wouter

On Mon, Apr 23, 2001 at 06:44:24PM +1200, Deane Sloan wrote:
> 
> I noticed that the 2.1 implementation generates a security exception when
> used from within an Applet in the JRE 1.3 plug-in.
> 
> It does so whilst retrieving the "user.name" system property: 
> 
> java.security.AccessControlException: access denied
> (java.util.PropertyPermission user.name read) 	
[...]
> at org.apache.soap.util.mime.MimeUtils.getUniqueValue(MimeUtils.java:84)
> 
> Do we really need to access (and publish) the system property "user.name" as
> a part of the unique string ID in the mime headers? 
> It is interesting that the documentation states "// Unique string is
> <hashcode>.<currentTime>.apache-soap.<suffix>" but adds the "user.name" and
> host address in the implementation.