axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "keith chapman" <keithgchap...@gmail.com>
Subject Re: svn commit: r682470 - in /webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2: description/ transport/http/ transport/jms/ transport/nhttp/
Date Thu, 07 Aug 2008 08:34:32 GMT
Hi Dims,

I agree that its not a security problem. But REST stuff via WSDL 2.0 would
not work without this fix. Which means that REST via WSDL 2.0 is broken in
Axis 2 1.4. We agreed that if there are critical fixes we would put them
into this release. And this IS a critical fix.

Thanks,
Keith.

On Thu, Aug 7, 2008 at 11:18 AM, Davanum Srinivas <davanum@gmail.com> wrote:

> Keith,
>
> Do you consider this in scope for a security problem oriented 1.4.1
> release?
>
> -- dims
>
> On Thu, Aug 7, 2008 at 12:56 AM, keith chapman <keithgchapman@gmail.com>
> wrote:
> > Here is the reason for adding the trailing "/"
> >
> > When a WSDL has a httpLocation that is resolved against the base URI, so
> > lets assume a bindingOperation has whttp:laction="foo/{bar} and that this
> is
> > exposed over 3 endpoints, SOAP 11 SOAP 12 and HTTP.
> > for the SOAP 11 endpoint  the address would be
> > http://localhost:8080/axis2/services/fooService.SOAP11Endpoint/
> > for the SOAP 11 endpoint  the address would be
> > http://localhost:8080/axis2/services/fooService.SOAP12Endpoint/
> > for the SOAP 11 endpoint  the address would be
> > http://localhost:8080/axis2/services/fooService.HTTPEndpoint/
> >
> > Now the above works perfectly only if the trailing "/" is there. If its
> > absent when
> http://localhost:8080/axis2/services/fooService.SOAP11Endpoint/
> > is resolved agaist foo/{bar} the result would be
> > http://localhost:8080/axis2/services/foo/{bar}<http://localhost:8080/axis2/services/foo/%7Bbar%7D>which
is incorrect.
> >
> > So that is the reason for having the trailing "/"
> >
> > Now the second point. Why did I remove it ;).
> >
> > Previously the trailing "/" was added in the AxisEndpoint class where the
> > epr was calculated. This leads to undesirable issues when other
> transports
> > are used. For e.g when JMS was used the endpoint address was
> >
> jms:/fooService?transport.jms.ConnectionFactoryJNDIName=QueueConnectionFactory&java.naming.factory.initial=org.apache.activemq.jndi.ActiveMQInitialContextFactory&java.naming.provider.url=tcp://localhost:61616/
> >
> > If the dynamic mode of service client was used to write a client for this
> it
> > would fail with a numberFormatException. All because of the trailing "/".
> >
> > The trailing "/" is needed only for the HTTP case. So it should be the
> duty
> > of the httpListeners to add this trailing "/". This was the rationale for
> > getting rid of this logic from the AxisEndpoint class and adding it to
> the
> > http listeners.
> >
> > Thanks,
> > Keith.
> >
> > On Wed, Aug 6, 2008 at 10:44 PM, Davanum Srinivas <davanum@gmail.com>
> wrote:
> >>
> >> Sorry! had to ask! and is this a security issue? Why is it even being
> >> considered?
> >>
> >> -- dims
> >>
> >> On Wed, Aug 6, 2008 at 1:06 PM, Saminda Abeyruwan <samindaa@gmail.com>
> >> wrote:
> >> > Is there any particular reason to add the tailing "/".
> >> >
> >> > Saminda
> >> >
> >> > On Wed, Aug 6, 2008 at 8:35 AM, Amila Suriarachchi
> >> > <amilasuriarachchi@gmail.com> wrote:
> >> >>
> >> >> hi keith,
> >> >>
> >> >> is there any reason to remove the ending "/".
> >> >> IMHO we should not remove this if there is no problem with that.
> >> >> Because
> >> >> someone may have written a code
> >> >> by considering that "/"
> >> >>
> >> >> thanks,
> >> >> Amila.
> >> >>
> >> >> On Tue, Aug 5, 2008 at 12:49 AM, <keithc@apache.org> wrote:
> >> >>>
> >> >>> Author: keithc
> >> >>> Date: Mon Aug  4 12:19:15 2008
> >> >>> New Revision: 682470
> >> >>>
> >> >>> URL: http://svn.apache.org/viewvc?rev=682470&view=rev
> >> >>> Log:
> >> >>> Applying patch given by amila to Axis2-3961. Also getting rid of
the
> >> >>> trailing / added in axisEndpoint and adding it in the http related
> >> >>> listeners
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> >> >>>
>  webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/description/AxisEndpoint.java
> >> >>>
> >> >>>
> >> >>>
>  webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/AxisServlet.java
> >> >>>
> >> >>>
> >> >>>
>  webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/CustomListener.java
> >> >>>
> >> >>>
> >> >>>
>  webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/SimpleHTTPServer.java
> >> >>>
> >> >>>
> >> >>>
>  webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/jms/JMSListener.java
> >> >>>
> >> >>>
> >> >>>
>  webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/nhttp/HttpCoreNIOListener.java
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/description/AxisEndpoint.java
> >> >>> URL:
> >> >>>
> >> >>>
> http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/description/AxisEndpoint.java?rev=682470&r1=682469&r2=682470&view=diff
> >> >>>
> >> >>>
> >> >>>
> ==============================================================================
> >> >>> ---
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/description/AxisEndpoint.java
> >> >>> (original)
> >> >>> +++
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/description/AxisEndpoint.java
> >> >>> Mon Aug  4 12:19:15 2008
> >> >>> @@ -194,7 +194,7 @@
> >> >>>
> >> >>>  .getEPRsForService(sDOTe, ip);
> >> >>>                                        // we consider only the
first
> >> >>> address return by the listener
> >> >>>                                        if (eprsForService != null
&&
> >> >>> eprsForService.length > 0) {
> >> >>> -                                               return
> >> >>> eprsForService[0].getAddress()  + "/";
> >> >>> +                                               return
> >> >>> eprsForService[0].getAddress();
> >> >>>                                        }
> >> >>>                                } catch (SocketException e) {
> >> >>>                                        logger.warn(e.getMessage(),
> e);
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/AxisServlet.java
> >> >>> URL:
> >> >>>
> >> >>>
> http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/AxisServlet.java?rev=682470&r1=682469&r2=682470&view=diff
> >> >>>
> >> >>>
> >> >>>
> ==============================================================================
> >> >>> ---
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/AxisServlet.java
> >> >>> (original)
> >> >>> +++
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/AxisServlet.java
> >> >>> Mon Aug  4 12:19:15 2008
> >> >>> @@ -590,7 +590,7 @@
> >> >>>             endpointRefernce = endpointRefernce + '/' +
> >> >>>                     configContext.getServiceContextPath() + "/"
+
> >> >>> serviceName;
> >> >>>         }
> >> >>> -        EndpointReference endpoint = new
> >> >>> EndpointReference(endpointRefernce);
> >> >>> +        EndpointReference endpoint = new
> >> >>> EndpointReference(endpointRefernce + "/");
> >> >>>
> >> >>>         return new EndpointReference[]{endpoint};
> >> >>>     }
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/CustomListener.java
> >> >>> URL:
> >> >>>
> >> >>>
> http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/CustomListener.java?rev=682470&r1=682469&r2=682470&view=diff
> >> >>>
> >> >>>
> >> >>>
> ==============================================================================
> >> >>> ---
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/CustomListener.java
> >> >>> (original)
> >> >>> +++
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/CustomListener.java
> >> >>> Mon Aug  4 12:19:15 2008
> >> >>> @@ -71,7 +71,7 @@
> >> >>>         if(path.charAt(0)!='/'){
> >> >>>             path = '/' + path;
> >> >>>         }
> >> >>> -        return new EndpointReference[]{new EndpointReference(schema
> +
> >> >>> "://" + ip + ":" + port + path )};
> >> >>> +        return new EndpointReference[]{new EndpointReference(schema
> +
> >> >>> "://" + ip + ":" + port + path + "/" )};
> >> >>>     }
> >> >>>
> >> >>>     public EndpointReference getEPRForService(String serviceName,
> >> >>> String
> >> >>> ip) throws AxisFault {
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/SimpleHTTPServer.java
> >> >>> URL:
> >> >>>
> >> >>>
> http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/SimpleHTTPServer.java?rev=682470&r1=682469&r2=682470&view=diff
> >> >>>
> >> >>>
> >> >>>
> ==============================================================================
> >> >>> ---
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/SimpleHTTPServer.java
> >> >>> (original)
> >> >>> +++
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/http/SimpleHTTPServer.java
> >> >>> Mon Aug  4 12:19:15 2008
> >> >>> @@ -262,7 +262,7 @@
> >> >>>                     endpointRefernce = endpointRefernce + '/' +
> >> >>>
> >> >>> configurationContext.getServiceContextPath()
> >> >>> + "/" + serviceName;
> >> >>>                 }
> >> >>> -                return new EndpointReference[]{new
> >> >>> EndpointReference(endpointRefernce)};
> >> >>> +                return new EndpointReference[]{new
> >> >>> EndpointReference(endpointRefernce + "/")};
> >> >>>             } else {
> >> >>>                 throw new AxisFault("Unable to generate EPR for
the
> >> >>> transport : http");
> >> >>>             }
> >> >>> @@ -296,7 +296,7 @@
> >> >>>             }
> >> >>>
> >> >>>
> >> >>> -            return new EndpointReference[]{new
> >> >>> EndpointReference(endpointRefernce)};
> >> >>> +            return new EndpointReference[]{new
> >> >>> EndpointReference(endpointRefernce + "/")};
> >> >>>         } else {
> >> >>>             throw new AxisFault("Unable to generate EPR for the
> >> >>> transport
> >> >>> : http");
> >> >>>         }
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/jms/JMSListener.java
> >> >>> URL:
> >> >>>
> >> >>>
> http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/jms/JMSListener.java?rev=682470&r1=682469&r2=682470&view=diff
> >> >>>
> >> >>>
> >> >>>
> ==============================================================================
> >> >>> ---
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/jms/JMSListener.java
> >> >>> (original)
> >> >>> +++
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/jms/JMSListener.java
> >> >>> Mon Aug  4 12:19:15 2008
> >> >>> @@ -350,8 +350,15 @@
> >> >>>         if (serviceName.indexOf('/') != -1) {
> >> >>>             serviceName = serviceName.substring(0,
> >> >>> serviceName.indexOf('/'));
> >> >>>         }
> >> >>> -        return new EndpointReference[]{
> >> >>> -                new EndpointReference((String)
> >> >>> serviceNameToEprMap.get(serviceName))};
> >> >>> +
> >> >>> +        String endpointName = (String)
> >> >>> serviceNameToEprMap.get(serviceName);
> >> >>> +        if (endpointName == null){
> >> >>> +            if (serviceName.indexOf(".") != -1){
> >> >>> +                serviceName = serviceName.substring(0,
> >> >>> serviceName.indexOf("."));
> >> >>> +                endpointName = (String)
> >> >>> serviceNameToEprMap.get(serviceName);
> >> >>> +            }
> >> >>> +        }
> >> >>> +        return new EndpointReference[]{new
> >> >>> EndpointReference(endpointName)};
> >> >>>     }
> >> >>>
> >> >>>     /**
> >> >>>
> >> >>> Modified:
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/nhttp/HttpCoreNIOListener.java
> >> >>> URL:
> >> >>>
> >> >>>
> http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/nhttp/HttpCoreNIOListener.java?rev=682470&r1=682469&r2=682470&view=diff
> >> >>>
> >> >>>
> >> >>>
> ==============================================================================
> >> >>> ---
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/nhttp/HttpCoreNIOListener.java
> >> >>> (original)
> >> >>> +++
> >> >>>
> >> >>>
> webservices/axis2/branches/java/1_4/modules/kernel/src/org/apache/axis2/transport/nhttp/HttpCoreNIOListener.java
> >> >>> Mon Aug  4 12:19:15 2008
> >> >>> @@ -222,7 +222,7 @@
> >> >>>      * Return the EPR for the given service (implements deprecated
> >> >>> method
> >> >>> temporarily)
> >> >>>      */
> >> >>>     public EndpointReference getEPRForService(String serviceName,
> >> >>> String
> >> >>> ip) throws AxisFault {
> >> >>> -        return new EndpointReference(serviceEPRPrefix +
> serviceName);
> >> >>> +        return new EndpointReference(serviceEPRPrefix + serviceName
> +
> >> >>> "/");
> >> >>>     }
> >> >>>
> >> >>>     /**
> >> >>> @@ -234,7 +234,7 @@
> >> >>>      */
> >> >>>     public EndpointReference[] getEPRsForService(String serviceName,
> >> >>> String ip) throws AxisFault {
> >> >>>         EndpointReference[] endpointReferences = new
> >> >>> EndpointReference[1];
> >> >>> -        endpointReferences[0] = new
> >> >>> EndpointReference(serviceEPRPrefix +
> >> >>> serviceName);
> >> >>> +        endpointReferences[0] = new
> >> >>> EndpointReference(serviceEPRPrefix +
> >> >>> serviceName + "/");
> >> >>>         return endpointReferences;
> >> >>>     }
> >> >>>
> >> >>>
> >> >>>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> Amila Suriarachchi,
> >> >> WSO2 Inc.
> >> >
> >> >
> >>
> >>
> >>
> >> --
> >> Davanum Srinivas :: http://davanum.wordpress.com
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> >> For additional commands, e-mail: axis-dev-help@ws.apache.org
> >>
> >
> >
> >
> > --
> > Keith Chapman
> > Senior Software Engineer
> > WSO2 Inc.
> > Oxygenating the Web Service Platform.
> > http://wso2.org/
> >
> > blog: http://www.keith-chapman.org
> >
>
>
>
> --
> Davanum Srinivas :: http://davanum.wordpress.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>


-- 
Keith Chapman
Senior Software Engineer
WSO2 Inc.
Oxygenating the Web Service Platform.
http://wso2.org/

blog: http://www.keith-chapman.org

Mime
View raw message