Return-Path: X-Original-To: apmail-axis-java-dev-archive@www.apache.org Delivered-To: apmail-axis-java-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 55D7718B22 for ; Thu, 9 Jul 2015 19:42:05 +0000 (UTC) Received: (qmail 95264 invoked by uid 500); 9 Jul 2015 19:42:04 -0000 Delivered-To: apmail-axis-java-dev-archive@axis.apache.org Received: (qmail 95017 invoked by uid 500); 9 Jul 2015 19:42:04 -0000 Mailing-List: contact java-dev-help@axis.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: java-dev@axis.apache.org Delivered-To: mailing list java-dev@axis.apache.org Received: (qmail 94838 invoked by uid 99); 9 Jul 2015 19:42:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Jul 2015 19:42:04 +0000 Date: Thu, 9 Jul 2015 19:42:04 +0000 (UTC) From: "Randall Vasquez (JIRA)" To: java-dev@axis.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (AXIS2-5700) Fault Handler not reached when soap envelope contains empty namespace MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AXIS2-5700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621133#comment-14621133 ] Randall Vasquez commented on AXIS2-5700: ---------------------------------------- Yes you are correct. The envelope should be done according to spec under normal circumstances. However in this case it is being done on purpose and the expected result is that the fault should be processed through the defined fault handler. This is what I am actually reporting. Instead of going through any handler defined in the InFaultFlow or the OutFaultFlow which in our case would suppress the component/class name "com.ctc.wstx.exc.WstxUnexpectedCharException", a fault is being thrown that leaks this name out. We are trying to suppress any such leaked information which may provide information about the application/framework that may assist a hacker in a future attack. > Fault Handler not reached when soap envelope contains empty namespace > --------------------------------------------------------------------- > > Key: AXIS2-5700 > URL: https://issues.apache.org/jira/browse/AXIS2-5700 > Project: Axis2 > Issue Type: Bug > Components: kernel > Affects Versions: 1.6.2 > Environment: Windows 7 Professional. Java 6+, Tomcat, JBoss. > Reporter: Randall Vasquez > > A customer has a requirement that our application be secure. One of the issues brought up was component names being leaked in error messages which may assist hackers by providing info they may use in future attacks. > To resolve this issue we attempted to use a simple custom handler that checks for a fault and replaces the message with something more generic. > The axis2.xml file was then modified to include the handler within the InFaultFlow and OutFaultFlows in the appropriate section as defined by the axis2.xml. > However when a namespace is empty in the soap message or there is an issue in the envelope at the root element > > example: > ...otherwise well constructed soap message > > the AxisServlet throws an AxisFault exception bypassing the handlers > and leaking info > example result: > ... > >com.ctc.wstx.exc.WstxUnexpectedCharException: Illegal character (NULL, unicode 0) encountered: not valid in any content > at [row,col {unknown-source}]: [1,313] > .. > -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org For additional commands, e-mail: java-dev-help@axis.apache.org