cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: WS-Addressing example from CXF 3.0.0
Date Thu, 10 Jul 2014 19:12:26 GMT

On Jul 10, 2014, at 2:48 PM, Jose María Zaragoza <demablogia@gmail.com> wrote:

> 2014-07-10 15:21 GMT+02:00 Daniel Kulp <dkulp@apache.org>:
>> 
>> In general, CXF routes requests based on the target URI/address, not the Action,
although there are some exceptions to that….
>> 
>> In general, CXF only allows a single endpoint to be deployed on a specific address.
  Through the MultipleEndpointObserver stuff, it’s possible to do it, but it’s not exactly
easy.
>> 
>> So… where is the Action used?   Under normal circumstances, the Action will be
looked at by various interceptors on the chain that may be looking for a specific Action.
  For example, if WS-RM is configured, the RM interceptors will be looking for Actions that
pertain to RM (CreateSequence, etc…) at which point they will re-route the request into
the RM stuff.   WS-SecureConversation is another example.  It’s interceptor will look for
Actions related to issue/renew/cancel tokens.   WS-Mex is another.      Basically, if it gets
through the chain without something “intercepting” the request, the request just goes
to the normal endpoint like a normal request and is handled via the contents of the soap body.
    We likely SHOULD have a check in there to make sure the Action matches like we do check
to make sure the SOAPAction header (if specified) matches.
> 
> 
> Thanks Daniel. Good explanation
> What kind of checking is applied to SOAPAction ?  SOAPAction == URI requested ?

If there is a non-empty SOAPAction header, we do double check that the action that is specified
matches the action that is configured for the target operation that is determined from the
contents of the soap:Body.   There’s a series of spoofing attacks that this prevents by
making sure the entire processing of the message is consistently targeting the correct operation.

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message