axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shameera Rathnayaka (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5700) Fault Handler not reached when soap envelope contains empty namespace
Date Thu, 09 Jul 2015 18:43:04 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621047#comment-14621047
] 

Shameera Rathnayaka commented on AXIS2-5700:
--------------------------------------------

According to the SOAP spec , Envelop should be under "http://schemas.xmlsoap.org/soap/envelope/"
namespace identifier. Hence your sample soap envelop is wrong. See http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383494


> Fault Handler not reached when soap envelope contains empty namespace
> ---------------------------------------------------------------------
>
>                 Key: AXIS2-5700
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5700
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.6.2
>         Environment: Windows 7 Professional. Java 6+, Tomcat, JBoss.
>            Reporter: Randall Vasquez
>
> A customer has a requirement that our application be secure. One of the issues brought
up was component names being leaked in error messages which may assist hackers by providing
info they may use in future attacks.
> To resolve this issue we attempted to use a simple custom handler that checks for a fault
and replaces the message with something more generic.
> The axis2.xml file was then modified to include the handler within the InFaultFlow and
OutFaultFlows in the appropriate section as defined by the axis2.xml.
> However when a namespace is empty in the soap message or there is an issue in the envelope
at the root element
>  
> example:
> <Envelope xmlns:soapenv="" 
> ...otherwise well constructed soap message
> </Envelope>
> the AxisServlet throws an AxisFault exception bypassing the handlers
> and leaking info
> example result:
>  <soapenv:Envelope 
> ...
> ><faultstring>com.ctc.wstx.exc.WstxUnexpectedCharException: Illegal character
(NULL, unicode 0) encountered: not valid in any content
>  at [row,col {unknown-source}]: [1,313]</faultstring>
> ..
> </soapenv:Envelope>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message