cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Shakirin <ashaki...@talend.com>
Subject RE: Checking of SOAP action in SoapActionInInterceptor: regression in proxy services
Date Thu, 14 Nov 2013 22:38:15 GMT
Hi Aki,

Sure, I can introduce the new option here.
However the question is still valid: does it make sense to force ONLY empty SOAPAction in
requests by default, if interface method hasn't action attribute in @WebMethod annotation
(OperationInfo contains empty action in the map)?
If user doesn't care about soap action in interfaces at all (it could be the case of using
the Provider<> API for example) is it correct to prohibit all requests with non-empty

soap actions?
Currently it looks a bit strange in case of using proxy implementing Provider<> API:
even if SOAP action has reasonable value created by SoapUI (wsdl target namespace/operation
name),  CXF responses with error "The given SOAPAction XXX does not match an operation", because
OperationInfo has empty action value, that doesn't match to request soap action.
The same request works fine with CXF 2.5.x and 2.6.x  ... I find that not intuitive.

WDYT?

Regards,
Andrei.

> -----Original Message-----
> From: Aki Yoshida [mailto:elakito@gmail.com]
> Sent: Donnerstag, 14. November 2013 15:12
> To: dev@cxf.apache.org
> Subject: Re: Checking of SOAP action in SoapActionInInterceptor: regression
> in proxy services
>  
> i think introducing an explicit option like "allowWrongAction" (or something
> that sound better :-) to turn off this action equality-check is better than using
> an empty string to automatically turn off the check. Or we can define a
> special matchAny kind of action that can be used in opinfo?
> 
> 2013/11/13 Andrei Shakirin <ashakirin@talend.com>:
> > Hi,
> >
> > I have a bit regression under 2.7.7 because of changes in
> > SoapActionInInterceptor
> > (https://fisheye6.atlassian.com/changelog/cxf?cs=1368559 )
> >
> > SoapActionInInterceptor requires that the SOAPAction exactly matches to
> the service operation.
> > The problem is that there are some scenarios where the proxies using
> Provider<> API process requests from different clients with any SOAPAction.
> >
> > If you don't see security issue in that, I would ignore the check if
> SoapOperationInfo action has default SOAP action (configured as empty in
> SoapBindingConfiguration):
> >
> > Instead:
> > SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
> >             if (soi == null || action.equals(soi.getAction())) {
> >                 return;
> >             }
> >
> > Will be:
> >
> > SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class);
> >             if ((soi == null) || StringUtils.isEmpty(soi.getAction()) ||
> action.equals(soi.getAction())) {
> >                 return;
> >             }
> >
> > WDYT?
> >
> > Regards,
> > Andrei.
> >

Mime
View raw message