axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amila Suriarachchi" <amilasuriarach...@gmail.com>
Subject Re: [Axis2][1.4.1] Nandana as Release Manager (Re: Security hole in Axis2 1.4 + Rampart 1.4)
Date Fri, 11 Jul 2008 09:19:27 GMT
On Wed, Jul 9, 2008 at 9:40 AM, Sanka Samaranayake <ssanka@gmail.com> wrote:

>
>
> On Mon, Jul 7, 2008 at 7:39 PM, Nandana Mihindukulasooriya <
> nandana.cse@gmail.com> wrote:
>
>> Hi Glen,
>>
>> - Let's aim to get 1.4.1 out the door at the end of next week, i.e. July
>>> 18th (is that enough time, Nandana?).
>>
>>
>> I  think we have to check Sanka's input on this. He will be fixing the
>> major issue in policy.
>>
>
>
> IMO, proper fix would be to improve Axis2 Dispatchers to set the
> AxisBindings in the MessageContext during the dispatch phase based on
> properties of incoming message even if client request came to the old format
> of service URL. For example for a message that came to older format of the
> service URL, the Dispatches can decide whether it belongs to the SOAP11 or
> SOAP12 or HTTP binding based on envelope namespace URI and content type .
> That way effective policy calculation will always happen based on the
> AxisBindings which will ensure the application of security irrespective of
> the format of service URL.
>

Seems to be good. What happens,
1. There is not SOAP 11Binding for a SOAP 11 message
2. There are two SOAP 11 Bindings for a SOAP 11 message.

I think in both cases we have to throw an exception.

thanks,
Amila.

>
>
> Thanks,
> Sanka
>
>
>
>
>
>>
>>
>>  - As always it's good to go through at least one RC so people can kick
>>> the tires, check the artifacts, etc.  So let's aim to get the RC out by
>>> Tuesday the 15th.
>>
>>
>> +1 for the RC.
>>
>> thanks,
>>  nandana
>>
>> Davanum Srinivas wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Exactly what i was afraid of :( Sigh! this is a *very* slippery slope.
>>>>
>>>> - -- dims
>>>>
>>>> Amila Suriarachchi wrote:
>>>> | On Mon, Jul 7, 2008 at 6:03 PM, Davanum Srinivas <davanum@gmail.com>
>>>> wrote:
>>>> |
>>>> |> Nandana,
>>>> |>
>>>> |> +1 from me for you to be the Release Manager for 1.4.1
>>>> |
>>>> |
>>>> | + 1 from me.
>>>> |
>>>> |>
>>>> |> IMHO, we should use 1.4 branch. The *ONLY* change should be the
>>>> |> security change. Nothing more.
>>>> |
>>>> | I think we need to fix any possible other critical issues as well.
>>>> | eg. https://issues.apache.org/jira/browse/AXIS2-3870
>>>> | This is a memory leak and we need to fix this.
>>>> |
>>>> | thanks,
>>>> | Amila.
>>>> |
>>>> |
>>>> |
>>>> |>
>>>> |> thanks,
>>>> |> dims
>>>> |>
>>>> |> On Mon, Jul 7, 2008 at 6:50 AM, Nandana Mihindukulasooriya
>>>> |> <nandana.cse@gmail.com> wrote:
>>>> |>> I would like to volunteer to be the release manager for Axis2
>>>> 1.4.1.
>>>> |>>
>>>> |>> I think we can fix the critical issues in the 1.4 branch (or a
1.4.1
>>>> |> branch
>>>> |>> ) and do the 1.4.1 release. I don't think doing 1.4.1 from the
trunk
>>>> is
>>>> |> the
>>>> |>> appropriate way as trunk is now java 1.5 and has lot of major
>>>> changes
>>>> |> after
>>>> |>> Axis2 1.4 . However we can fix any issues that are not already
fixed
>>>> in
>>>> |> the
>>>> |>> trunk at the same time when we fix those in the branch.
>>>> |>>
>>>> |>> Hope this is oky with Axis2 release guidelines.
>>>> |>>
>>>> |>> thanks,
>>>> |>> nandana
>>>> |>>
>>>> |>> On Tue, Jul 1, 2008 at 6:39 PM, Davanum Srinivas <davanum@gmail.com
>>>> >
>>>> |> wrote:
>>>> |>>> IMHO, The logic is the same as for blockers. If there is a
work
>>>> |>>> around, it's not a blocker. So i am +0 on a 1.4.1 since there
is a
>>>> |>>> work around that can be documented.
>>>> |>>>
>>>> |>>> That said, If someone is willing to drive a 1.4.1 as the release
>>>> |>>> manager, please do go ahead.
>>>> |>>>
>>>> |>>> thanks,
>>>> |>>> dims
>>>> |>>>
>>>> |>>> On Tue, Jul 1, 2008 at 2:48 AM, Sanka Samaranayake <
>>>> ssanka@gmail.com>
>>>> |>>> wrote:
>>>> |>>>> Hi,
>>>> |>>>>
>>>> |>>>> For the users who is already using 1.4 version, the workaround
>>>> would
>>>> |> be
>>>> |>>>> to
>>>> |>>>> define policies in services.xml without using
>>>> <wsa:PolicyAttachment>.
>>>> |>>>> Then
>>>> |>>>> the problem is that those policies will appear in <wsdl:PortType>
>>>> |> which
>>>> |>>>> is
>>>> |>>>> not correct but security will apply for both format of
service
>>>> URLs.
>>>> |>>>>
>>>> |>>>> Hence +1 for fixing that issue and do 1.4.1 release.
>>>> |>>>>
>>>> |>>>> Thanks,
>>>> |>>>> Sanka
>>>> |>>>>
>>>> |>>>>
>>>> |>>>> On Mon, Jun 30, 2008 at 8:59 PM, Nandana Mihindukulasooriya
>>>> |>>>> <nandana.cse@gmail.com> wrote:
>>>> |>>>>> Hi,
>>>> |>>>>>    There are few issues with Axis2 1.4 / Rampart 1.4
with the new
>>>> |>>>>> policy
>>>> |>>>>> configuration. The new policy configuration which allows
us to
>>>> apply
>>>> |>>>>> policies to binding hierarchy is a great feature when
in comes to
>>>> ws
>>>> |>>>>> security policy configuration. It allows security policies
to be
>>>> |>>>>> attached to
>>>> |>>>>> the correct attachment points. But there are few issues
that need
>>>> to
>>>> |> be
>>>> |>>>>> fixed in Axis2 1.4. I will list them below.
>>>> |>>>>>     1.) If we configure security using new configuration,
service
>>>> can
>>>> |>>>>> be
>>>> |>>>>> accessed without security.
>>>> |>>>>>          In Axis2 1.4, a service is exposed in two
EPRs (consider
>>>> |> SOAP
>>>> |>>>>> 1.1
>>>> |>>>>> binding).
>>>> |>>>>>            eg.
>>>> |>>>>>
>>>> |>>>>>
>>>> |>>>>>
>>>> |>
>>>> http://localhost:8080/axis2/services/SecureService.SecureServiceHttpSoap11Endpoint
>>>> |>>>>>
>>>> http://localhost:8080/axis2/services/SecureService
>>>> |>>>>>           But if we you set the policies using the
new
>>>> configuration,
>>>> |>>>>> if
>>>> |>>>>> you do a web service call to the older EPR, you can
access the
>>>> |> service
>>>> |>>>>> without any security even though it is secured using
the binding
>>>> |>>>>> hierarchy.
>>>> |>>>>> This happens because if we call the old EPR, it is
not dispatched
>>>> to
>>>> |> a
>>>> |>>>>> binding. But this leaves the service vulnerable. I
think we
>>>> should
>>>> |>>>>> dispatch
>>>> |>>>>> to one of the bindings may be using soap envelope version
if we
>>>> have
>>>> |>>>>> only
>>>> |>>>>> one binding with that soap version. We should have
a way to
>>>> dispatch
>>>> |>>>>> messages which comes to old EPR to one of the bindings
else we
>>>> should
>>>> |>>>>> have
>>>> |>>>>> an option to disable that EPR.
>>>> |>>>>>
>>>> |>>>>>     2.) In the out flow, policies are not set correctly
in the
>>>> |> binding
>>>> |>>>>> message.
>>>> |>>>>>           This is fixed in the trunk but this bug is
there in
>>>> Axis2
>>>> |>>>>> 1.4.
>>>> |>>>>>
>>>> |>>>>>    So the option we have is to configure security using
the old
>>>> |>>>>> configuration. But then the problem is policies are
attached to
>>>> the
>>>> |>>>>> port
>>>> |>>>>> type which is the correct way to do if we have policies
using
>>>> |>>>>> <service>,<operation><message> tags.
But this makes Axis2 not
>>>> |>>>>> interoperable
>>>> |>>>>> as security policies should be attached to binding
hierarchy
>>>> |> according
>>>> |>>>>> WS
>>>> |>>>>> Security policy specification. Ideally we should always
use the
>>>> new
>>>> |>>>>> configuration to apply security. And code generation
also doesn't
>>>> |> work
>>>> |>>>>> correctly when the policies attached to the port type
(polices
>>>> are
>>>> |> not
>>>> |>>>>> correctly attached to the stub).
>>>> |>>>>>
>>>> |>>>>>    So I think it would be great if can consider a Axis2
1.4.1
>>>> with
>>>> |>>>>> these
>>>> |>>>>> things fixed.
>>>> |>>>>>
>>>> |>>>>> thanks,
>>>> |>>>>> nandana
>>>> |>>>>
>>>> |>>>> --
>>>> |>>>> Sanka Samaranayake
>>>> |>>>> WSO2 Inc.
>>>> |>>>>
>>>> |>>>> http://sankas.blogspot.com/
>>>> |>>>> http://www.wso2.org/
>>>> |>>>
>>>> |>>>
>>>> |>>> --
>>>> |>>> Davanum Srinivas :: http://davanum.wordpress.com
>>>> |>>>
>>>> |>>>
>>>> ---------------------------------------------------------------------
>>>> |>>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
>>>> |>>> For additional commands, e-mail: axis-dev-help@ws.apache.org
>>>> |>>>
>>>> |>
>>>> |>
>>>> |> --
>>>> |> Davanum Srinivas :: http://davanum.wordpress.com
>>>> |>
>>>> |> ---------------------------------------------------------------------
>>>> |> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
>>>> |> For additional commands, e-mail: axis-dev-help@ws.apache.org
>>>> |>
>>>> |>
>>>> |
>>>> |
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.6 (GNU/Linux)
>>>>
>>>> iD8DBQFIchYLgNg6eWEDv1kRAo7lAKDKyTiR50/aWOSuc9d7pVPHQPUoeACgkg+A
>>>> sQpm1+6vbyVf0CMQkT1aYXI=
>>>> =hpVj
>>>> -----END PGP SIGNATURE-----
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
>>>> For additional commands, e-mail: axis-dev-help@ws.apache.org
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: axis-dev-help@ws.apache.org
>>>
>>>
>
>
> --
> Sanka Samaranayake
> WSO2 Inc.
>
> http://sankas.blogspot.com/
> http://www.wso2.org/
>



-- 
Amila Suriarachchi,
WSO2 Inc.

Mime
View raw message