axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amila Suriarachchi" <amilasuriarach...@gmail.com>
Subject Re: [Axis2] Dispatch order
Date Wed, 19 Dec 2007 07:11:06 GMT
On Dec 19, 2007 10:00 AM, Amila Suriarachchi <amilasuriarachchi@gmail.com>
wrote:

> hi all,
>
> 1. Here is a code segment found in the
> org.apache.axis2.engine.DispatchPhase
> checkPostConditions method.
>
> if (operation == null &&
>                 JavaUtils.isTrue(service.getParameterValue (
> AxisService.SUPPORT_SINGLE_OP))) {
>             Iterator ops = service.getOperations();
>             // If there's exactly one, that's the one we want.  If there's
> more, forget it.
>             if (ops.hasNext ()) {
>                 operation = (AxisOperation)ops.next();
>                 if (ops.hasNext()) {
>                     operation = null;
>                 }
>             }
>             msgContext.setAxisOperation (operation);
>         }
>
> What it basically doing is that dispatch the operation if the
> AxisService.SUPPORT_SINGLE_OP parameter is set and
> there is only one operation on it.
> Isn't this dispatcher supposed to run just after service being dispatched?
> i.e as the first dispatcher of the Tranport phase.
>
> Think about the scenario where this operation is engaged security. in this
> case it should dispatched before the security.
>
> I think any dispatcher which is possible to run before the security should
> run before it.


I found this security hole  and I the only option to fix it to add a handler
as the last phase to dispatch
to check whether the security is applied or not.
https://issues.apache.org/jira/browse/RAMPART-127

So we need to move this before security definitely.

>
>
> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
> Transport and Dispatch phases.
> Is there any reason for this? or is it an obsolete code to keep this in
> Dispatch phase?
>
> Shall I do the above changes?
>
> thanks,
> Amila.
>
>
>
>
> --
> Amila Suriarachchi,
> WSO2 Inc.




-- 
Amila Suriarachchi,
WSO2 Inc.

Mime
View raw message