You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by John Holman <j....@qmul.ac.uk> on 2002/07/27 18:24:20 UTC

Patch for security problem

Bug 11210 (http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11210) is a 
security problem which could have serious effects for people using 
JNDIRealm with the Netscape/iPlanet JNDI LDAP provider 
 (com.netscape.jndi.ldap.LdapContextFactory). The default provider 
(com.sun.jndi.ldap.LdapCtxFactory) works OK.

I believe the problem is due to a failure of the Netscape/iPlanet 
provider to conform to the JNDI 1.2 specification - see the bugzilla 
report for details. However, getting that fixed is likely to take a 
while. The bug report includes a patch to JNDIRealm which avoids the 
problem. Could someone please have a look at it and hopefully commit it? 
(Remy has been committing my JNDIRealm patches but now that he's on 
holiday/has left Sun I'm not sure how things stand).

Thanks, John



--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>