[ https://issues.apache.org/jira/browse/KARAF-4208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4208: ---------------------------------------- Fix Version/s: (was: 4.0.7) 4.0.8 > Poor Error Handling: Empty Catch Block > -------------------------------------- > > Key: KARAF-4208 > URL: https://issues.apache.org/jira/browse/KARAF-4208 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.8 > > > HP Fortify SCA and SciTools Understand were used to perform an application > security analysis of the karaf source code. > The method authenticate() in JaasSecurityProvider.java ignores an exception > on line 215, which could cause the program to overlook unexpected states and > conditions. In this case an authentication has failed and the attempt to > respond to the client and let them know has also failed. The comment > indicates that nothing can be done about the problem but the issue should be > logged for further investigation or forensics purposes. > File: > webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java > Line: 215 > JaasSecurityProvider.java, lines 207-218: > {code} > 207 // request authentication > 208 try > 209 { > 210 response.setHeader( HEADER_WWW_AUTHENTICATE, > AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" ); > 211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED ); > 212 response.setContentLength( 0 ); > 213 response.flushBuffer(); > 214 } > 215 catch ( IOException ioe ) > 216 { > 217 // failed sending the response ... cannot do anything about it > 218 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)