It is possible under certain circumstances to bypass the web security model
when running the J2EE SDK 1.2.1 on Windows platforms and unintentionally to
expose static content or JSPs to unauthorized users. This problem does not
affect users on Unix® based platforms.
This affects J2EE applications containing one or more web applications that
use the security constraint mechanism to protect web content against
unauthorized users. The vulnerability stems from the RI using case sensitive
matches for security constraints, but using a case insensitive match for
requests either for static content or JSPs in the Windows version. There is no
known vulnerability allowing unauthorized access to servlets written in the Java programming language.
Since the J2EE SDK is a reference implementation of the J2EE platform
specifications and so was not designed or written for production use, we do
not think that this issue affects your ability to use it to learn about J2EE
technology, and prototype J2EE applications using the J2EE SDK. We will be
addressing this particular issue in a future release.
Print-friendly Version
