LdapCoreSessionConnection.java

Alex Karasulu Mon, 11 Jul 2011 17:22:03 -0700

On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny <[email protected]> wrote:
> I'm not sure it"s a good idea to setup a default session, at least to admin.
> If we consider the normal (ie, not embedded) server, we don't set any
> session, the default session is Anonymous (of course if allowed). IMO, this
> might be a security breach too.
>
> What was the rational for this modificatioon, Alex ?


First there was a big null pointer exception due to this not being
set. Second taking a big step back I thought about it and if I have a
handle on DirectoryService I can pretty much do anything anyway. If
I'm using CoreSessions and DirectoryServices I can use any kind of
session there's no security barrier there. So IMO there's no security
issue here to defaulting to an admin session.

> On 7/10/11 11:23 PM, [email protected] wrote:
>>
>> Author: akarasulu
>> Date: Sun Jul 10 21:23:02 2011
>> New Revision: 1144962
>>
>> URL: http://svn.apache.org/viewvc?rev=1144962&view=rev
>> Log:
>> session member should be reset to an admin session when the directory
>> service is set
>>
>> Modified:
>>
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>>
>> Modified:
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> URL:
>> http://svn.apache.org/viewvc/directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java?rev=1144962&r1=1144961&r2=1144962&view=diff
>>
>> ==============================================================================
>> ---
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> (original)
>> +++
>> directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java
>> Sun Jul 10 21:23:02 2011
>> @@ -1286,5 +1286,6 @@ public class LdapCoreSessionConnection i
>>      {
>>          this.directoryService = directoryService;
>>          this.schemaManager = directoryService.getSchemaManager();
>> +        this.session = directoryService.getAdminSession();
>>      }
>>  }
>>
>>
>>
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>



-- 
Best Regards,
-- Alex

Re: svn commit: r1144962 - /directory/apacheds/trunk/core-api/src/main/java/org/apache/directory/server/core/LdapCoreSessionConnection.java

Reply via email to