[jboss-jira] [JBoss JIRA] (WFLY-7950) Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount
Martin Choma (JIRA)
issues at jboss.org
Wed Jan 25 04:06:03 EST 2017
[ https://issues.jboss.org/browse/WFLY-7950?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma updated WFLY-7950:
-------------------------------
Description:
Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity.
https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=8622358&defectInstanceId=2151938&mergedDefectId=1389592
Please resolve this inconsistent situation.
By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested.
{code:title=hipchat.log}
[3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication?
[3:23 PM] Darran Lofthouse: No it can't be
[3:24 PM] Darran Lofthouse: it is backed by implementation as well as state
[3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity
[3:26 PM] David M. Lloyd: among other problems
[3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it
[3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right?
[3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI
{code}
was:
Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity.
https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=8486751&defectInstanceId=2122705&mergedDefectId=1389593
Please resolve this inconsistent situation.
By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested.
{code:title=hipchat.log}
[3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication?
[3:23 PM] Darran Lofthouse: No it can't be
[3:24 PM] Darran Lofthouse: it is backed by implementation as well as state
[3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity
[3:26 PM] David M. Lloyd: among other problems
[3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it
[3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right?
[3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI
{code}
> Coverity static analysis: Non-Serializable SecurityIdentity is contained in Serializable ElytronAccount
> -------------------------------------------------------------------------------------------------------
>
> Key: WFLY-7950
> URL: https://issues.jboss.org/browse/WFLY-7950
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
>
> Coverity static analysis found Serializable ElytronAccount contains non-Serializable SecurityIdentity.
> https://scan7.coverity.com/reports.htm#v23632/p12664/fileInstanceId=8622358&defectInstanceId=2151938&mergedDefectId=1389592
> Please resolve this inconsistent situation.
> By dev feedback SecurityIdentity can't be made Serializable. Rework to remove SecurityIdentity from ElytronAccount was suggested.
> {code:title=hipchat.log}
> [3:23 PM] Martin Choma: Shouldn't be SecurityIdentity Serializable? - because of HttpSession replication?
> [3:23 PM] Darran Lofthouse: No it can't be
> [3:24 PM] Darran Lofthouse: it is backed by implementation as well as state
> [3:25 PM] David M. Lloyd: right it would essentially be a security hole to be able to deserialize an identity
> [3:26 PM] David M. Lloyd: among other problems
> [3:26 PM] Darran Lofthouse: on the far side we restore the identity instead of deserializing it
> [3:31 PM] Martin Choma: I got it. Thing is static analyzer is complaining elytron-web ElytronAccount (Serializable class) is referencing SecurityIdentity, but probably problem is ElytronAccount does not have to be mark as Serializable, right?
> [3:34 PM] Darran Lofthouse: @MartinChoma we may be able to re-work that and remove the reference to SI
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list