[
https://issues.apache.org/jira/browse/DERBY-3537?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12581951#action_12581951
]
Rick Hillegas commented on DERBY-3537:
--------------------------------------
Committed at subversion revision 640828.
> Invalid use shutdown authentication checks in
> NetworkServerControlImpl.directShutdown()
> ----------------------------------------------------------------------------------------
>
> Key: DERBY-3537
> URL: https://issues.apache.org/jira/browse/DERBY-3537
> Project: Derby
> Issue Type: Bug
> Components: Network Server
> Reporter: Daniel John Debrunner
> Priority: Minor
> Attachments: DERBY-3537-01.diff, DERBY-3537-01.stat
>
>
> If ClientThread hits an SSLException exception it will call
> NetworkServerControlImpl.directShutdown().
> DERBY-2109 added privilege checking to directShutdown() that includes
> authentication.
> I can't see how this call by ClientThread can be valid. Authentication is not
> required to start the network server, thus a NetworkServerControl with no
> user,password may be used and thus passed onto directShutdown() failing
> authentication and then failing to perform the failed shutdown?
> I think the error was adding the privilege check in DERBY-2109, it looks like
> this method is for use only within the network server (actually this is the
> only use of it), maybe the correct security mechanism would have been to make
> the method package private?
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
