On Tue, Jul 12, 2011 at 8:53 AM, Emmanuel Lécharny <[email protected]> wrote: > On 7/12/11 2:21 AM, Alex Karasulu wrote: >> >> On Mon, Jul 11, 2011 at 9:55 AM, Emmanuel Lecharny<[email protected]> >> wrote: >>> >>> I'm not sure it"s a good idea to setup a default session, at least to >>> admin. >>> If we consider the normal (ie, not embedded) server, we don't set any >>> session, the default session is Anonymous (of course if allowed). IMO, >>> this >>> might be a security breach too. >>> >>> What was the rational for this modificatioon, Alex ? >> >> First there was a big null pointer exception due to this not being >> set. Second taking a big step back I thought about it and if I have a >> handle on DirectoryService I can pretty much do anything anyway. If >> I'm using CoreSessions and DirectoryServices I can use any kind of >> session there's no security barrier there. So IMO there's no security >> issue here to defaulting to an admin session. > > Make sense. I'm just wondering if we shouldn't mimic the way the LDAP server > works by forcing the session to use an anonymous principal by default, > instead of an admin one.
That might be better for consistency and also the safe road to take. I shouldn't have used the term 'security issue', > it's not really a problem in this case, what I had in mind is that if > someone want to use a Admin session, it's probably better to require that he > explicitly create such a session. Call it 'protection against stupid > move'... > > PS : NPE ? ouch... Yeah Kiran commented on that. > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Best Regards, -- Alex
