axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Filtering MTOM attachments based on disposition file name and content type
Date Thu, 09 Jun 2011 18:30:05 GMT
There is indeed no API to get access to the Content-Disposition
header. There is a reason for this: MTOM actually defines an
equivalency between plain SOAP messages and MIME messages, but the
specification doesn't attach any meaning to the Content-Disposition
MIME header. That means that when constructing the equivalent plain
SOAP message for a given MTOM message, the values of the
Content-Disposition headers are lost. That has several implications:

* The sender is not required to add Content-Disposition headers, and
if it does, then the MTOM specs don't make any statement how they
should be set.
* The receiver is not expected to use the Content-Disposition headers
in any way.
* An intermediary (such as an ESB) may choose to remove the
Content-Disposition headers.

Note that this also means that the requirement to filter MIME parts of
an MTOM message based on Content-Disposition makes very little sense.
This wouldn't improve security in any way because an attacker can set
the Content-Disposition header to any value he wants, given that the
receiver is not expected to use that value.

Andreas

On Thu, Jun 9, 2011 at 17:15, Sridhar Dabbeeru
<sridhar.dabbeeru@gmail.com> wrote:
> Swapna,
> Sure, I can write the module but when you say axis api what exactly you
> are referring to? We are on Aixs 2 (1.4) version and
> our org.apache.axiom.attachments.Attachments version doesn't even look into
> the "Content-Disposition: attachment; name=", at least I don't see
> anywhere. Are you referring to any other API.
> ------=_Part_0_9514768.1307555652068
> Content-Type: application/octet-stream
> Content-Transfer-Encoding: binary
> Content-ID: <1038418065145>
> Content-Disposition: attachment; name="DSC07685.JPG"
> I have another question, if we intercept the attachment request in this
> module won't it already consume the stream that's been attached. I want this
> module just act like a filter and on bad request throw a fault back. Actual
> handling attachment should go through the actual service implementation.
> Thanks,
> Sridhar
>
> On Thu, Jun 9, 2011 at 1:48 AM, swapna soni <ssoni@nisum.com> wrote:
>>
>> Hi Sridhar,
>>
>>
>>
>>   You can create a custom module and engage it in your service or client
>> program. In this module u can get the attachment of you request /response
>> using axis2 api and you can get the file name as well.
>>
>>
>>
>> Thanks,
>>
>> Swapna Soni.
>>
>>
>>
>> From: Sridhar Dabbeeru [mailto:sridhar.dabbeeru@gmail.com]
>> Sent: Wednesday, June 08, 2011 11:14 PM
>> To: java-dev@axis.apache.org
>> Subject: Filtering MTOM attachments based on disposition file name and
>> content type
>>
>>
>>
>> Hi,
>> I have a requirement to apply a security filter on MTOM attachments based
>> on configured of content type and file name extension. For example file name
>> with ".mp3" shouldn't be allowed for uploading or
>> content image/png shouldn't be allowed.
>>
>> I see in my soap request Content-Disposition: attachment; name="xyz.tif"
>> but the file name is not being parsed in axis2. I was expecting the name in
>> my DataHandler but that turned out to be stream name. Datahandler does give
>> me handle for the correct content type. The only missing link is file name.
>>
>> I am wondering does axis2 parses disposition file name at all?
>>
>> Can any one  help me to resolve this.
>>
>>
>> Thanks,
>> Sridhar
>

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message