You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Eduardo Aguinaga (JIRA)" <ji...@apache.org> on 2015/12/15 17:10:47 UTC

[jira] [Created] (KARAF-4208) Poor Error Handling: Empty Catch Block

Eduardo Aguinaga created KARAF-4208:
---------------------------------------

             Summary: Poor Error Handling: Empty Catch Block
                 Key: KARAF-4208
                 URL: https://issues.apache.org/jira/browse/KARAF-4208
             Project: Karaf
          Issue Type: Bug
    Affects Versions: 4.0.3
            Reporter: Eduardo Aguinaga


HP Fortify SCA and SciTools Understand were used to perform an application security analysis of the karaf source code.

The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which could cause the program to overlook unexpected states and conditions. In this case an authentication has failed and the attempt to respond to the client and  let them know has also failed. The comment indicates that nothing can be done about the problem but the issue should be logged for further investigation or forensics purposes.

File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215

JaasSecurityProvider.java, lines 207-218:
207 // request authentication
208 try
209 {
210     response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211     response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212     response.setContentLength( 0 );
213     response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217     // failed sending the response ... cannot do anything about it
218 }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)