[jboss-dev-forums] [Design of Messaging on JBoss (Messaging/JBoss)] - Re: moving SecurityAspect to be an interceptor
ataylor
do-not-reply at jboss.com
Thu Feb 7 07:26:51 EST 2008
Yes.
|
| Creat connection request takes a user id, *and* a password. The password is hard to guess.
|
| If you authenticate and then allow the same user id to be used in subsequent operations without a password, then that's exploitable, since authentication is already done by that point.
of course!
anonymous wrote : Instead you could maintain a map of packet target id to user id in the server side filter and use th
| at.
Ok, so adding and removing the users from the map on creating a connection and closing a connection is fine. If the server closes the connection via the connection manager on client fail, the interceptor wouldn't get called and the user would remain in the map.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4127340#4127340
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4127340
More information about the jboss-dev-forums
mailing list