You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@xml.apache.org by Deane Sloan <De...@equinox.co.nz> on 2001/04/23 08:44:24 UTC
Security Issues with MimeUtils (getUniqueValue)
I noticed that the 2.1 implementation generates a security exception when
used from within an Applet in the JRE 1.3 plug-in.
It does so whilst retrieving the "user.name" system property:
java.security.AccessControlException: access denied
(java.util.PropertyPermission user.name read)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
at java.lang.System.getProperty(Unknown Source)
at org.apache.soap.util.mime.MimeUtils.getUniqueValue(MimeUtils.java:84)
at org.apache.soap.rpc.SOAPContext.setRootPart(SOAPContext.java:375)
...
Do we really need to access (and publish) the system property "user.name" as
a part of the unique string ID in the mime headers?
It is interesting that the documentation states "// Unique string is
<hashcode>.<currentTime>.apache-soap.<suffix>" but adds the "user.name" and
host address in the implementation.
Is requiring this information to be sent out for correct operation a bit
dubious? I am sure most application developers wouldn't be aware of this
exchange...
Best Regards,
Deane Sloan
Re: Security Issues with MimeUtils (getUniqueValue)
Posted by Wouter Cloetens <wo...@mind.be>.
Hrmpf. I wasn't aware of this problem. There's already another outstanding
issue with non-ASCII user IDs.
You're right. We don't need this. I just put it in because that's the way
JavaMail generated a unique ID too. I'll yank it out... Thanks for pointing
out the issue.
bfn, Wouter
On Mon, Apr 23, 2001 at 06:44:24PM +1200, Deane Sloan wrote:
>
> I noticed that the 2.1 implementation generates a security exception when
> used from within an Applet in the JRE 1.3 plug-in.
>
> It does so whilst retrieving the "user.name" system property:
>
> java.security.AccessControlException: access denied
> (java.util.PropertyPermission user.name read)
[...]
> at org.apache.soap.util.mime.MimeUtils.getUniqueValue(MimeUtils.java:84)
>
> Do we really need to access (and publish) the system property "user.name" as
> a part of the unique string ID in the mime headers?
> It is interesting that the documentation states "// Unique string is
> <hashcode>.<currentTime>.apache-soap.<suffix>" but adds the "user.name" and
> host address in the implementation.