[jboss-dev-forums] [Design of Messaging on JBoss (Messaging/JBoss)] - Re: moving SecurityAspect to be an interceptor
timfox
do-not-reply at jboss.com
Thu Feb 7 06:38:08 EST 2008
"ataylor" wrote : That would be exploitable since a rogue client could just send (guess) someone else's user id. Is that different from how the createconnectionrequest works now.
|
Yes.
Creat connection request takes a user id, *and* a password. The password is hard to guess.
If you authenticate and then allow the same user id to be used in subsequent operations without a password, then that's exploitable, since authentication is already done by that point.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127328#4127328
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127328
More information about the jboss-dev-forums
mailing list