Sun Java Solaris Communities My SDN Account
» search tips 
Sun Developer Network
SDN Home > Products & Technologies > Java Technology > J2EE > J2EE 1.2 > Reference > Documentation >
 
Documentation

"Java 2 Platform, Enterprise Edition - Security Vulnerability of J2EE SDK 1.2.1 on Windows Platforms"

 
  Print-friendly VersionPrint-friendly Version

It is possible under certain circumstances to bypass the web security model when running the J2EE SDK 1.2.1 on Windows platforms and unintentionally to expose static content or JSPs to unauthorized users. This problem does not affect users on Unix® based platforms.

This affects J2EE applications containing one or more web applications that use the security constraint mechanism to protect web content against unauthorized users. The vulnerability stems from the RI using case sensitive matches for security constraints, but using a case insensitive match for requests either for static content or JSPs in the Windows version. There is no known vulnerability allowing unauthorized access to servlets written in the Java programming language.

Since the J2EE SDK is a reference implementation of the J2EE platform specifications and so was not designed or written for production use, we do not think that this issue affects your ability to use it to learn about J2EE technology, and prototype J2EE applications using the J2EE SDK. We will be addressing this particular issue in a future release.

Oracle is reviewing the Sun product roadmap and will provide guidance to customers in accordance with Oracle's standard product communication policies. Any resulting features and timing of release of such features as determined by Oracle's review of roadmaps, are at the sole discretion of Oracle. All product roadmap information, whether communicated by Sun Microsystems or by Oracle, does not represent a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. It is intended for information purposes only, and may not be incorporated into any contract.
About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment  |  How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
© 2010, Oracle Corporation and/or its affiliates
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Sun Developer RSS Feeds