Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm
Precedence: bulk
Reply-To: java-dev@axis.apache.org
Date: Sun, 28 Oct 2012 07:03:13 +0000 (UTC)
From: "Ladislav Lencucha (JIRA)" <jira@apache.org>
To: java-dev@axis.apache.org
Message-ID: <967173519.36229.1351407793317.JavaMail.jiratomcat@arcas>
In-Reply-To: <817835973.64287.1350574683809.JavaMail.jiratomcat@arcas>
Subject: [jira] [Commented] (AXIS2-5440) Tomcat using 100% CPU when
 application/json (JSONMessageFormatter) is used
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/AXIS2-5440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13485583#comment-13485583 ] 

Ladislav Lencucha commented on AXIS2-5440:
------------------------------------------

Hi,

ok. So what now?

1.  haven't tested with tcpmon, but in Chrome and Firefox debug console I clearly see:
Request URL:http://localhost:8080/SuiteConsoleServer/services/rest/getAgent?agent=0223938
Request Method:GET
2. I need to call the webservice from within web browser (as you can see using jquery), do I have an option to force GET when you say it is in fact OPTION? (note that I don't believe it is sending OPTION)
3. I don't have a problem with content type mapping - I was able to generate request header with the same cpu consuming result as above that contains:
Accept:application/json, text/javascript, */*; q=0.01
4. Yes, I am and always was able to generate the xml file, if the content type is e.g. application/xml. The only problem is with application/json where it hangs (and therefore I think it is not a problem of GET vs OPTION), because it is called within the same web browser with only different Accept header.

Anyway, I find it a very easy way for a potentiall attacker to deplete the cpu and do some kind of dos easier.

Br,
Ladislav
                
> Tomcat using 100% CPU when application/json (JSONMessageFormatter) is used
> --------------------------------------------------------------------------
>
>                 Key: AXIS2-5440
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5440
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.6.0, 1.6.2
>         Environment: Apache Tomcat/6.0.35	1.6.0_21-b07	Sun Microsystems Inc.	Windows 7	6.1	x86
>            Reporter: Ladislav Lencucha
>              Labels: JSON
>         Attachments: axis2.xml, ConsoleServer.aar, ws.zip
>
>
> I am trying to connect to my webservice using GET + JSON.
> I've added JSONMessageFormatter and JSONOMBuilder for "application/json" content type.
> When I try to call the webservice using jQuery and HTTP GET with content type "application/xml" I receive the response almost immediately (note that there is a jQuery error raised afterwards, because Xml cannot be parsed as JSON).
> When I try to call the webservice using the same code but with content type "application/json" there is no response and Tomcat uses 100% of CPU (there are also some messages in log file mentioning that it should have ended).
> See my aar file and jQuery example attached. Also see my axis2.xml configuration.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org