This is a general alert for all Java applications. Hence affects the JBoss ecosystem users also.
Oracle has released update 24 of the JDK 1.6 to resolve the Security vulnerability as outlined in http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
So, please upgrade to Oracle JVM 1.6u24 asap.
As always, please refer to the community notification page at JBoss.
http://community.jboss.org/wiki/SecurityVulnerabilitiesNotificationtoCommunity
Monday, February 21, 2011
Wednesday, February 9, 2011
JBoss users upgrade to Oracle/Sun JVM JDK 1.6 Update 23 and apply FP Updater Tool
A serious vulnerability in the JVM was identified via CVE and has been handled by Oracle/Sun. Please see the following article for more details:
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
This is an issue that affects all Java applications that may be performing Double-String operations.
In summary, JBoss AS users should try to upgrade to JDK 1.6 Update 23 and use the Floating Point Updater Tool from here.
JDK/JRE6 Update 24 (forthcoming) will fix the issue. Until then please run the updater tool.
Reference Page for JBoss AS Security Vulnerabilities: http://community.jboss.org/wiki/SecurityVulnerabilitiesNotificationtoCommunity
Additional information is available from Oracle Blog Post.
======================================================
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
This is an issue that affects all Java applications that may be performing Double-String operations.
In summary, JBoss AS users should try to upgrade to JDK 1.6 Update 23 and use the Floating Point Updater Tool from here.
JDK/JRE6 Update 24 (forthcoming) will fix the issue. Until then please run the updater tool.
Reference Page for JBoss AS Security Vulnerabilities: http://community.jboss.org/wiki/SecurityVulnerabilitiesNotificationtoCommunity
Additional information is available from Oracle Blog Post.
======================================================
Tuesday, February 1, 2011
Usage:JBoss XACML
Project PicketBox from JBoss has an XACML engine that can be used in a Java environment.
Assuming that your configuration file is available, something like the following should work for you:
If you need to look at code examples: http://community.jboss.org/wiki/XACMLPDPSOAPService
Assuming that your configuration file is available, something like the following should work for you:
import org.jboss.security.xacml.core.JBossPDP;
import org.jboss.security.xacml.interfaces.PolicyDecisionPoint;
import org.jboss.security.xacml.interfaces.XACMLConstants;
//Get hold of an InputStream to the config file
ClassLoader tcl = Thread.currentThread().getContextClassLoader();
InputStream is = tcl.getResourceAsStream( MY_CONFIG_FILE );
PolicyDecisionPoint pdp = new JBossPDP(is);
//Form your RequestContext by some means
ResponseContext response = pdp.evaluate(request);
int decision = response.getDecision(); //Decision can be one of XACMLConstants.DECISION_DENY
//XACMLConstants.DECISION_PERMIT
RequestContext requestContext = RequestResponseContextFactory.createRequestCtx();
//Read the xacml request from input stream
requestContext.readRequest( is );
requestContext.readRequest( node ); //Parse xacml request as DOM node
============================
If you need to look at code examples: http://community.jboss.org/wiki/XACMLPDPSOAPService
Subscribe to:
Posts (Atom)