cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aki Yoshida <elak...@gmail.com>
Subject Re: Checking of SOAP action in SoapActionInInterceptor: regression in proxy services
Date Thu, 14 Nov 2013 14:11:35 GMT
i think introducing an explicit option like "allowWrongAction" (or
something that sound better :-) to turn off this action equality-check
is better than using an empty string to automatically turn off the
check. Or we can define a special matchAny kind of action that can be
used in opinfo?

2013/11/13 Andrei Shakirin <ashakirin@talend.com>:
> Hi,
>
> I have a bit regression under 2.7.7 because of changes in SoapActionInInterceptor (https://fisheye6.atlassian.com/changelog/cxf?cs=1368559
)
>
> SoapActionInInterceptor requires that the SOAPAction exactly matches to the service operation.
> The problem is that there are some scenarios where the proxies using Provider<>
API process requests from different clients with any SOAPAction.
>
> If you don't see security issue in that, I would ignore the check if SoapOperationInfo
action has default SOAP action (configured as empty in SoapBindingConfiguration):
>
> Instead:
> SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
>             if (soi == null || action.equals(soi.getAction())) {
>                 return;
>             }
>
> Will be:
>
> SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
>             if ((soi == null) || StringUtils.isEmpty(soi.getAction()) || action.equals(soi.getAction()))
{
>                 return;
>             }
>
> WDYT?
>
> Regards,
> Andrei.
>

Mime
View raw message