Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
- Timestamp:
-
10/29/10 07:54:32 (14 years ago)
- Author:
-
jmoore
- Comment:
-
Ola, sorry, the issue with the second omero.client is another problem you might run into (see the first comment of #2099). #911 says that a user can only call changePassword if the session that they got the IAdmin instance from was created using a real password and not joinSession(). Otherwise an attacker could:
- sniff a session uuid from the wire (which will eventually timeout)
- login with the session uuid
- call changePassword
- start creating new sessions with the new password
I realize that in the web scenario N-1 of the workers will have been authenticated with a session uuid, so if you receive a SecurityViolation you will need to re-authenticate, or create a temporary SSL-based omero.client with the real password.
There are currently no TestingScenarios dealing with passwords, so I added #3202.
Legend:
- Unmodified
- Added
- Removed
- Modified
1.3.13-PRO © 2008-2011
Agilo Software all
rights reserved
(this page was served in: 0.13954 sec.)