geronimo-dev mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Rick McGuire <rick...@gmail.com>
Subject	Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache: axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/ ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Date	Thu, 10 Jun 2010 14:09:46 GMT
On 6/10/2010 9:53 AM, Donald Woods wrote: > But we're going to instruct existing 2.1.x users to copy it over the > existing jars in the server repository, right? Or are we going to > instruct them to create an artifact-alias entry to map all usage to the > new one (which may not work in all cases....)? > Using artifact-alias has been sort of an assumption in all of the discussions I've seen. Giving two versions of a jar the same name seems like a recipe for disaster. Rick > > -Donald > > > On 6/10/10 9:10 AM, Rick McGuire wrote: > >> Ashish, >> >> I think there are a couple of changes that need to be made for this update: >> >> 1) Since we're likely going to be making the Axis2 jar available for >> download before we have the release complete, the timestamp in the jar >> name should be updated so the different versions can be easily >> distinguished. >> 2) The checked in axiom jar should also carry a timestamp modifier >> (e.g., axiom-api-1.2.5-20100610). >> >> Rick >> >> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote: >> >>> Author: ashishjain >>> Date: Thu Jun 10 08:45:57 2010 >>> New Revision: 953250 >>> >>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev >>> Log: >>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch >>> >>> Added: >>> >>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>> geronimo/server/branches/2.1/repository/org/apache/ws/ >>> >>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/ >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/ >>> >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/ >>> >>> >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/ >>> >>> >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>> (with props) >>> >>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> (with props) >>> Modified: >>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>> >>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar >>> >>> >>> Modified: >>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>> URL: >>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff >>> >>> ============================================================================== >>> >>> --- >>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>> (original) >>> +++ >>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>> Thu Jun 10 08:45:57 2010 >>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo. >>> How to build Axis2 1.3-G20090406: >>> --------------------------------- >>> Checkout the Axis2 1.3 tag >>> - svn co >>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/ >>> axis2-1.3 >>> + svn co >>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3 >>> >>> >>> Apply the patches >>> @@ -14,6 +14,7 @@ Apply the patches >>> patch -p0 -i metadata.patch >>> patch -p0 -i jaxws.patch >>> patch -p0 -i kernel.patch >>> + patch -p0 -i builder.patch >>> >>> Build Axis2 1.3 >>> --------------- >>> @@ -32,6 +33,7 @@ Patch Information >>> metadata.patch - contains fixes for SEI with overloaded methods >>> jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations >>> kernel.patch - contains fixes for AXIS2-4279 >>> + builder.patch - contains fixes for AXIS2-4450 >>> >>> Copy patched jar files to appropriate locations >>> ----------------------------------------------- >>> >>> Modified: >>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar >>> >>> URL: >>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff >>> >>> ============================================================================== >>> >>> Binary files - no diff available. >>> >>> Added: >>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>> URL: >>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto >>> >>> ============================================================================== >>> >>> --- >>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>> (added) >>> +++ >>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>> Thu Jun 10 08:45:57 2010 >>> @@ -0,0 +1,132 @@ >>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java >>> +=================================================================== >>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java >>> (revision 952555) >>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java >>> (working copy) >>> +@@ -192,9 +192,9 @@ >>> + public static StAXBuilder getPOXBuilder(InputStream inStream, >>> String charSetEnc) >>> + throws XMLStreamException { >>> + StAXBuilder builder; >>> +- XMLStreamReader xmlreader = >>> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc); >>> +- builder = new StAXOMBuilder(xmlreader); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc); >>> ++ builder = new StAXOMBuilder(xmlReader); >>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false); >>> + return builder; >>> + } >>> + >>> +@@ -374,7 +374,7 @@ >>> + PushbackInputStream pis = >>> getPushbackInputStream(attachments.getSOAPPartInputStream()); >>> + String actualCharSetEncoding = getCharSetEncoding(pis, >>> charSetEncoding); >>> + >>> +- streamReader = StAXUtils.createXMLStreamReader(pis, >>> actualCharSetEncoding); >>> ++ streamReader = >>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding); >>> + } catch (IOException e) { >>> + throw new XMLStreamException(e); >>> + } >>> +@@ -414,13 +414,16 @@ >>> + XOPAwareStAXOMBuilder stAXOMBuilder = new >>> XOPAwareStAXOMBuilder( >>> + streamReader, attachments); >>> + builder = stAXOMBuilder; >>> ++ ((XOPAwareStAXOMBuilder) >>> builder).setAllowDTDandPI(false); >>> + >>> + } else if (attachments.getAttachmentSpecType().equals( >>> + MTOMConstants.SWA_TYPE)) { >>> + builder = new StAXOMBuilder(streamReader); >>> ++ ((XOPAwareStAXOMBuilder) >>> builder).setAllowDTDandPI(false); >>> + } else if (attachments.getAttachmentSpecType().equals( >>> + MTOMConstants.SWA_TYPE_12)) { >>> + builder = new StAXOMBuilder(streamReader); >>> ++ ((XOPAwareStAXOMBuilder) >>> builder).setAllowDTDandPI(false); >>> + } >>> + } >>> + >>> +@@ -531,8 +534,8 @@ >>> + * @deprecated If some one really need this method, please shout. >>> + / >>> + public static StAXBuilder getBuilder(Reader in) throws >>> XMLStreamException { >>> +- XMLStreamReader xmlreader = >>> StAXUtils.createXMLStreamReader(in); >>> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader, >>> null); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(in); >>> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader, >>> null); >>> + return builder; >>> + } >>> + >>> +@@ -544,8 +547,10 @@ >>> + @throws XMLStreamException >>> + / >>> + public static StAXBuilder getBuilder(InputStream inStream) >>> throws XMLStreamException { >>> +- XMLStreamReader xmlReader = >>> StAXUtils.createXMLStreamReader(inStream); >>> +- return new StAXOMBuilder(xmlReader); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(inStream); >>> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader); >>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false); >>> ++ return builder; >>> + } >>> + >>> + /* >>> +@@ -558,7 +563,7 @@ >>> + / >>> + public static StAXBuilder getBuilder(InputStream inStream, >>> String charSetEnc) >>> + throws XMLStreamException { >>> +- XMLStreamReader xmlReader = >>> StAXUtils.createXMLStreamReader(inStream, charSetEnc); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc); >>> + try { >>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader); >>> + return builder; >>> +@@ -580,7 +585,7 @@ >>> + @throws XMLStreamException >>> + / >>> + public static StAXBuilder getSOAPBuilder(InputStream inStream) >>> throws XMLStreamException { >>> +- XMLStreamReader xmlReader = >>> StAXUtils.createXMLStreamReader(inStream); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(inStream); >>> + try { >>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader); >>> + return builder; >>> +@@ -604,7 +609,7 @@ >>> + / >>> + public static StAXBuilder getSOAPBuilder(InputStream inStream, >>> String charSetEnc) >>> + throws XMLStreamException { >>> +- XMLStreamReader xmlReader = >>> StAXUtils.createXMLStreamReader(inStream, charSetEnc); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc); >>> + try { >>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader); >>> + return builder; >>> +@@ -621,8 +626,9 @@ >>> + public static StAXBuilder getBuilder(SOAPFactory soapFactory, >>> InputStream in, String charSetEnc) >>> + throws XMLStreamException { >>> + StAXBuilder builder; >>> +- XMLStreamReader xmlreader = >>> StAXUtils.createXMLStreamReader(in, charSetEnc); >>> +- builder = new StAXOMBuilder(soapFactory, xmlreader); >>> ++ XMLStreamReader xmlReader = >>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc); >>> ++ builder = new StAXOMBuilder(soapFactory, xmlReader); >>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false); >>> + return builder; >>> + } >>> + >>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java >>> +=================================================================== >>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java >>> (revision 952555) >>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java >>> (working copy) >>> +@@ -51,7 +51,7 @@ >>> + String actualCharSetEncoding = >>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding); >>> + >>> + // Get the XMLStreamReader for this input stream >>> +- streamReader = StAXUtils.createXMLStreamReader(pis, >>> actualCharSetEncoding); >>> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis, >>> actualCharSetEncoding); >>> + StAXBuilder builder = new >>> MTOMStAXSOAPModelBuilder(streamReader, >>> + attachments); >>> + SOAPEnvelope envelope = (SOAPEnvelope) >>> builder.getDocumentElement(); >>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java >>> +=================================================================== >>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java >>> (revision 952555) >>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java >>> (working copy) >>> +@@ -48,7 +48,7 @@ >>> + String actualCharSetEncoding = >>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding); >>> + >>> + // Get the XMLStreamReader for this input stream >>> +- streamReader = StAXUtils.createXMLStreamReader(pis, >>> actualCharSetEncoding); >>> ++ streamReader = >>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding); >>> + >>> + StAXBuilder builder = new >>> StAXSOAPModelBuilder(streamReader); >>> + SOAPEnvelope envelope = (SOAPEnvelope) >>> builder.getDocumentElement(); >>> >>> Added: >>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>> URL: >>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto >>> >>> ============================================================================== >>> >>> --- >>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>> (added) >>> +++ >>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>> Thu Jun 10 08:45:57 2010 >>> @@ -0,0 +1,267 @@ >>> +Index: >>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java >>> >>> +=================================================================== >>> +--- >>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java >>> (revision 949978) >>> ++++ >>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java >>> (working copy) >>> +@@ -52,6 +52,7 @@ >>> + private static final Log log = >>> LogFactory.getLog(StAXOMBuilder.class); >>> + private boolean doTrace = log.isDebugEnabled(); >>> + private static int nsCount = 0; >>> ++ boolean allowDTDandPI = true; >>> + >>> + /** >>> + * Constructor StAXOMBuilder. >>> +@@ -309,6 +310,9 @@ >>> + * @throws OMException >>> + / >>> + protected OMNode createDTD() throws OMException { >>> ++ if (!allowDTDandPI) { >>> ++ throw new OMException("Inbound message MUST NOT contain >>> a Document Type Declaration(DTD)"); >>> ++ } >>> + if (!parser.hasText()) >>> + return null; >>> + lastNode = omfactory.createOMDocType(document, >>> parser.getText()); >>> +@@ -322,6 +326,9 @@ >>> + @throws OMException >>> + / >>> + protected OMNode createPI() throws OMException { >>> ++ if (!allowDTDandPI) { >>> ++ throw new OMException("Inbound message MUST NOT contain >>> Processing Instructions(PI)"); >>> ++ } >>> + OMNode node; >>> + String target = parser.getPITarget(); >>> + String data = parser.getPIData(); >>> +@@ -337,6 +344,20 @@ >>> + return node; >>> + } >>> + >>> ++ >>> ++ /* >>> ++ * @return true if Document Type Definitions and Processing >>> Instructions are allowed >>> ++ / >>> ++ public boolean isAllowDTDandPI() { >>> ++ return allowDTDandPI; >>> ++ } >>> ++ >>> ++ /* >>> ++ * @param allowDTDandPI boolean >>> ++ / >>> ++ public void setAllowDTDandPI(boolean allowDTDandPI) { >>> ++ this.allowDTDandPI = allowDTDandPI; >>> ++ } >>> + protected void endElement() { >>> + if (lastNode.isComplete()) { >>> + OMNodeEx parent = (OMNodeEx) lastNode.getParent(); >>> +Index: >>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java >>> >>> +=================================================================== >>> +--- >>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java >>> (revision 0) >>> ++++ >>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java >>> (revision 0) >>> +@@ -0,0 +1,47 @@ >>> ++/ >>> ++ * Licensed to the Apache Software Foundation (ASF) under one >>> ++ * or more contributor license agreements. See the NOTICE file >>> ++ * distributed with this work for additional information >>> ++ * regarding copyright ownership. The ASF licenses this file >>> ++ * to you under the Apache License, Version 2.0 (the >>> ++ * "License"); you may not use this file except in compliance >>> ++ * with the License. You may obtain a copy of the License at >>> ++ * >>> ++ * http://www.apache.org/licenses/LICENSE-2.0 >>> ++ * >>> ++ * Unless required by applicable law or agreed to in writing, >>> ++ * software distributed under the License is distributed on an >>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >>> ++ * KIND, either express or implied. See the License for the >>> ++ * specific language governing permissions and limitations >>> ++ * under the License. >>> ++ / >>> ++package org.apache.axiom.om.util; >>> ++ >>> ++import javax.xml.stream.XMLResolver; >>> ++import javax.xml.stream.XMLStreamException; >>> ++ >>> ++import org.apache.commons.logging.Log; >>> ++import org.apache.commons.logging.LogFactory; >>> ++ >>> ++/* >>> ++ * This XMLResolver is used whenever a secure XMLStreamReader >>> ++ * is needed. Basically it thows an exception if an attempt >>> ++ * is made to read an entity. >>> ++ / >>> ++public final class SecureXMLResolver implements XMLResolver { >>> ++ >>> ++ private static Log log = >>> LogFactory.getLog(SecureXMLResolver.class); >>> ++ public Object resolveEntity(String arg0, String arg1, String arg2, >>> ++ String arg3) throws XMLStreamException { >>> ++ // Note Scheu: >>> ++ // Do not expose the name of the entity that was attempted >>> to be >>> ++ // read as this will reveal secure information to the client. >>> ++ if (log.isDebugEnabled()) { >>> ++ log.debug("resolveEntity is disabled because this is a >>> secure XMLStreamReader(" + >>> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" + >>> arg3 + ")"); >>> ++ } >>> ++ throw new XMLStreamException("Reading external entities is >>> disabled"); >>> ++ } >>> ++ >>> ++} >>> +\ No newline at end of file >>> + >>> +Property changes on: >>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java >>> >>> +___________________________________________________________________ >>> +Name: svn:mime-type >>> + + text/plain >>> +Name: svn:keywords >>> + + Date Revision >>> +Name: svn:eol-style >>> + + native >>> + >>> +Index: >>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java >>> +=================================================================== >>> +--- >>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java >>> (revision 949978) >>> ++++ >>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java >>> (working copy) >>> +@@ -113,6 +113,39 @@ >>> + } >>> + }); >>> + >>> ++ private static final Pool secureXmlInputFactoryPool = >>> ++ new Pool(new ObjectCreator[] { new ObjectCreator() { >>> ++ public Object newObject() { >>> ++ return AccessController.doPrivileged(new PrivilegedAction() { >>> ++ public Object run() { >>> ++ // return >>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory", >>> StAXUtils.class.getClassLoader()); >>> ++ // TODO: Refactor this code when the FactoryFinder.class in >>> XLXP fixed and used instead of the Axis2-bundle version >>> ++ // Try to simulate the above to create XMLInputFactory using >>> the specific classloader >>> ++ // This it not quite the same since it will modify the >>> classloader for all classes >>> ++ Thread currentThread = Thread.currentThread(); >>> ++ ClassLoader savedClassLoader = >>> currentThread.getContextClassLoader(); >>> ++ XMLInputFactory factory = null; >>> ++ try { >>> ++ >>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader()); >>> ++ factory = XMLInputFactory.newInstance(); >>> ++ >>> ++ // The following setting disabled external entities...which >>> is a requirement >>> ++ // for network xml reading. >>> ++ setSecureProperties(factory); >>> ++ } finally { >>> ++ currentThread.setContextClassLoader(savedClassLoader); >>> ++ } >>> ++ return factory; >>> ++ } >>> ++ }); >>> ++ } >>> ++ }, new ObjectCreator() { >>> ++ public Object newObject() { >>> ++ return XMLInputFactory.newInstance(); >>> ++ } >>> ++ } }); >>> ++ >>> ++ >>> + private static final Pool xmlOutputFactoryPool = new Pool(new >>> ObjectCreator[] { >>> + new ObjectCreator() { >>> + public Object newObject() { >>> +@@ -144,6 +177,106 @@ >>> + } >>> + } >>> + }); >>> ++ >>> ++ /* >>> ++ * Gets an XMLInputFactory instance from pool. >>> ++ * >>> ++ * @return an XMLInputFactory instance. >>> ++ / >>> ++ private static XMLInputFactory getSecureXMLInputFactory() { >>> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance(); >>> ++ } >>> ++ >>> ++ /* >>> ++ * Returns an XMLInputFactory instance for reuse. >>> ++ * >>> ++ * @param factory An XMLInputFactory instance that is available >>> for reuse >>> ++ / >>> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory >>> factory) { >>> ++ secureXmlInputFactoryPool.releaseInstance(factory); >>> ++ } >>> ++ >>> ++ /* >>> ++ * Create an XMLStreamReader that will be used to read a stream for >>> ++ * an incoming message. We need to use more restrictive "secure" >>> properties >>> ++ * to ensure against attacks. >>> ++ * @param in >>> ++ * @param encoding >>> ++ * @return >>> ++ * @throws XMLStreamException >>> ++ / >>> ++ public static XMLStreamReader >>> createSecureXMLStreamReader(InputStream in, String encoding) >>> ++ throws XMLStreamException { >>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory(); >>> ++ try { >>> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in, >>> encoding); >>> ++ if (isDebugEnabled) { >>> ++ log.debug("XMLStreamReader is " + reader.getClass().getName()); >>> ++ } >>> ++ return reader; >>> ++ } finally { >>> ++ releaseSecureXMLInputFactory(inputFactory); >>> ++ } >>> ++ } >>> ++ >>> ++ /* >>> ++ * Create an XMLStreamReader that will be used to read a >>> stream for >>> ++ * an incoming message. We need to use more restrictive >>> "secure" properties >>> ++ * to ensure against attacks. >>> ++ * @param in >>> ++ * @return >>> ++ * @throws XMLStreamException >>> ++ / >>> ++ public static XMLStreamReader >>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException { >>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory(); >>> ++ try { >>> ++ XMLStreamReader reader = >>> inputFactory.createXMLStreamReader(in); >>> ++ if (isDebugEnabled) { >>> ++ log.debug("XMLStreamReader is " + >>> reader.getClass().getName()); >>> ++ } >>> ++ return reader; >>> ++ } finally { >>> ++ releaseSecureXMLInputFactory(inputFactory); >>> ++ } >>> ++ } >>> ++ >>> ++ /* >>> ++ * Create an XMLStreamReader that will be used to read a >>> stream for >>> ++ * an incoming message. We need to use more restrictive >>> "secure" properties >>> ++ * to ensure against attacks. >>> ++ * >>> ++ * @param in >>> ++ * @return >>> ++ * @throws XMLStreamException >>> ++ */ >>> ++ public static XMLStreamReader >>> createSecureXMLStreamReader(Reader in) throws XMLStreamException { >>> ++ XMLInputFactory inputFactory = getXMLInputFactory(); >>> ++ try { >>> ++ XMLStreamReader reader = >>> inputFactory.createXMLStreamReader(in); >>> ++ if (isDebugEnabled) { >>> ++ log.debug("XMLStreamReader is " + >>> reader.getClass().getName()); >>> ++ } >>> ++ return reader; >>> ++ } finally { >>> ++ releaseSecureXMLInputFactory(inputFactory); >>> ++ } >>> ++ } >>> ++ >>> ++ private static void setSecureProperties(XMLInputFactory f) { >>> ++ // The goal is to prevent tampering of the message >>> ++ // by external entities or denial of service >>> ++ // replacing entities. >>> ++ // Setting the following properties ensures this goal >>> ++ >>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, >>> ++ Boolean.FALSE); >>> ++ >>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, >>> ++ Boolean.FALSE); >>> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD, >>> ++ Boolean.FALSE); >>> ++ f.setXMLResolver(new SecureXMLResolver()); >>> ++ } >>> ++ >>> ++ >>> + >>> + >>> + private static Log log = LogFactory.getLog(StAXUtils.class); >>> >>> Added: >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>> >>> URL: >>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto >>> >>> ============================================================================== >>> >>> Binary file - no diff available. >>> >>> Propchange: >>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>> >>> ------------------------------------------------------------------------------ >>> >>> svn:mime-type = application/java-archive >>> >>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> URL: >>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto >>> >>> ============================================================================== >>> >>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> (added) >>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> Thu Jun 10 08:45:57 2010 >>> @@ -0,0 +1,30 @@ >>> +Private Build of Axiom 1.2.5 for Geronimo. >>> + >>> +How to build Axiom 1.2.5 >>> +--------------------------------- >>> + Checkout the Axiom 1.2.5 tag >>> + svn co >>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5 >>> + >>> + >>> +Apply the patch >>> +----------------- >>> + cd 1_2_5 >>> + patch -p0 -i axiom_api.patch >>> + >>> +Build Axiom 1.2.5 >>> +--------------- >>> + cd 1_2_5 >>> + mvn install >>> + >>> +Notes: >>> + - Use Sun 1.5.x and Maven 2.0.9 build. >>> + >>> + >>> +Patch Information >>> +----------------- >>> + axiom_api.patch - contains fixes for AXIS2-4450 >>> + >>> +Copy patched jar files to appropriate locations >>> +----------------------------------------------- >>> + cd 1_2_5 >>> + cp >>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>> >>> \ No newline at end of file >>> >>> Propchange: >>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> ------------------------------------------------------------------------------ >>> >>> svn:eol-style = native >>> >>> Propchange: >>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> ------------------------------------------------------------------------------ >>> >>> svn:keywords = Date Revision >>> >>> Propchange: >>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>> ------------------------------------------------------------------------------ >>> >>> svn:mime-type = text/plain >>> >>> >>> >>> >>> >> >> >
Mime	Unnamed text/plain (inline, 7-Bit, 28044 bytes)
	View raw message