On 6/10/2010 9:53 AM, Donald Woods wrote:
> But we're going to instruct existing 2.1.x users to copy it over the
> existing jars in the server repository, right? Or are we going to
> instruct them to create an artifact-alias entry to map all usage to the
> new one (which may not work in all cases....)?
>
Using artifact-alias has been sort of an assumption in all of the
discussions I've seen. Giving two versions of a jar the same name seems
like a recipe for disaster.
Rick
>
> -Donald
>
>
> On 6/10/10 9:10 AM, Rick McGuire wrote:
>
>> Ashish,
>>
>> I think there are a couple of changes that need to be made for this update:
>>
>> 1) Since we're likely going to be making the Axis2 jar available for
>> download before we have the release complete, the timestamp in the jar
>> name should be updated so the different versions can be easily
>> distinguished.
>> 2) The checked in axiom jar should also carry a timestamp modifier
>> (e.g., axiom-api-1.2.5-20100610).
>>
>> Rick
>>
>> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
>>
>>> Author: ashishjain
>>> Date: Thu Jun 10 08:45:57 2010
>>> New Revision: 953250
>>>
>>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
>>> Log:
>>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>>>
>>> Added:
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> geronimo/server/branches/2.1/repository/org/apache/ws/
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
>>>
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
>>>
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>> (with props)
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> (with props)
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>
>>>
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> (original)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> Thu Jun 10 08:45:57 2010
>>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
>>> How to build Axis2 1.3-G20090406:
>>> ---------------------------------
>>> Checkout the Axis2 1.3 tag
>>> - svn co
>>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
>>> axis2-1.3
>>> + svn co
>>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>>>
>>>
>>> Apply the patches
>>> @@ -14,6 +14,7 @@ Apply the patches
>>> patch -p0 -i metadata.patch
>>> patch -p0 -i jaxws.patch
>>> patch -p0 -i kernel.patch
>>> + patch -p0 -i builder.patch
>>>
>>> Build Axis2 1.3
>>> ---------------
>>> @@ -32,6 +33,7 @@ Patch Information
>>> metadata.patch - contains fixes for SEI with overloaded methods
>>> jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations
>>> kernel.patch - contains fixes for AXIS2-4279
>>> + builder.patch - contains fixes for AXIS2-4450
>>>
>>> Copy patched jar files to appropriate locations
>>> -----------------------------------------------
>>>
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
>>>
>>> ==============================================================================
>>>
>>> Binary files - no diff available.
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> (added)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,132 @@
>>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> (working copy)
>>> +@@ -192,9 +192,9 @@
>>> + public static StAXBuilder getPOXBuilder(InputStream inStream,
>>> String charSetEnc)
>>> + throws XMLStreamException {
>>> + StAXBuilder builder;
>>> +- XMLStreamReader xmlreader =
>>> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> +- builder = new StAXOMBuilder(xmlreader);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> ++ builder = new StAXOMBuilder(xmlReader);
>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> + return builder;
>>> + }
>>> +
>>> +@@ -374,7 +374,7 @@
>>> + PushbackInputStream pis =
>>> getPushbackInputStream(attachments.getSOAPPartInputStream());
>>> + String actualCharSetEncoding = getCharSetEncoding(pis,
>>> charSetEncoding);
>>> +
>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++ streamReader =
>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>> + } catch (IOException e) {
>>> + throw new XMLStreamException(e);
>>> + }
>>> +@@ -414,13 +414,16 @@
>>> + XOPAwareStAXOMBuilder stAXOMBuilder = new
>>> XOPAwareStAXOMBuilder(
>>> + streamReader, attachments);
>>> + builder = stAXOMBuilder;
>>> ++ ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> +
>>> + } else if (attachments.getAttachmentSpecType().equals(
>>> + MTOMConstants.SWA_TYPE)) {
>>> + builder = new StAXOMBuilder(streamReader);
>>> ++ ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> + } else if (attachments.getAttachmentSpecType().equals(
>>> + MTOMConstants.SWA_TYPE_12)) {
>>> + builder = new StAXOMBuilder(streamReader);
>>> ++ ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> + }
>>> + }
>>> +
>>> +@@ -531,8 +534,8 @@
>>> + * @deprecated If some one really need this method, please shout.
>>> + */
>>> + public static StAXBuilder getBuilder(Reader in) throws
>>> XMLStreamException {
>>> +- XMLStreamReader xmlreader =
>>> StAXUtils.createXMLStreamReader(in);
>>> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
>>> null);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(in);
>>> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
>>> null);
>>> + return builder;
>>> + }
>>> +
>>> +@@ -544,8 +547,10 @@
>>> + * @throws XMLStreamException
>>> + */
>>> + public static StAXBuilder getBuilder(InputStream inStream)
>>> throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream);
>>> +- return new StAXOMBuilder(xmlReader);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> ++ return builder;
>>> + }
>>> +
>>> + /**
>>> +@@ -558,7 +563,7 @@
>>> + */
>>> + public static StAXBuilder getBuilder(InputStream inStream,
>>> String charSetEnc)
>>> + throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> + try {
>>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>>> + return builder;
>>> +@@ -580,7 +585,7 @@
>>> + * @throws XMLStreamException
>>> + */
>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream)
>>> throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>> + try {
>>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>>> + return builder;
>>> +@@ -604,7 +609,7 @@
>>> + */
>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream,
>>> String charSetEnc)
>>> + throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> + try {
>>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>>> + return builder;
>>> +@@ -621,8 +626,9 @@
>>> + public static StAXBuilder getBuilder(SOAPFactory soapFactory,
>>> InputStream in, String charSetEnc)
>>> + throws XMLStreamException {
>>> + StAXBuilder builder;
>>> +- XMLStreamReader xmlreader =
>>> StAXUtils.createXMLStreamReader(in, charSetEnc);
>>> +- builder = new StAXOMBuilder(soapFactory, xmlreader);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
>>> ++ builder = new StAXOMBuilder(soapFactory, xmlReader);
>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> + return builder;
>>> + }
>>> +
>>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> (working copy)
>>> +@@ -51,7 +51,7 @@
>>> + String actualCharSetEncoding =
>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>> +
>>> + // Get the XMLStreamReader for this input stream
>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> + StAXBuilder builder = new
>>> MTOMStAXSOAPModelBuilder(streamReader,
>>> + attachments);
>>> + SOAPEnvelope envelope = (SOAPEnvelope)
>>> builder.getDocumentElement();
>>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> (working copy)
>>> +@@ -48,7 +48,7 @@
>>> + String actualCharSetEncoding =
>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>> +
>>> + // Get the XMLStreamReader for this input stream
>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++ streamReader =
>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>> +
>>> + StAXBuilder builder = new
>>> StAXSOAPModelBuilder(streamReader);
>>> + SOAPEnvelope envelope = (SOAPEnvelope)
>>> builder.getDocumentElement();
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> (added)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,267 @@
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>> (revision 949978)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>> (working copy)
>>> +@@ -52,6 +52,7 @@
>>> + private static final Log log =
>>> LogFactory.getLog(StAXOMBuilder.class);
>>> + private boolean doTrace = log.isDebugEnabled();
>>> + private static int nsCount = 0;
>>> ++ boolean allowDTDandPI = true;
>>> +
>>> + /**
>>> + * Constructor StAXOMBuilder.
>>> +@@ -309,6 +310,9 @@
>>> + * @throws OMException
>>> + */
>>> + protected OMNode createDTD() throws OMException {
>>> ++ if (!allowDTDandPI) {
>>> ++ throw new OMException("Inbound message MUST NOT contain
>>> a Document Type Declaration(DTD)");
>>> ++ }
>>> + if (!parser.hasText())
>>> + return null;
>>> + lastNode = omfactory.createOMDocType(document,
>>> parser.getText());
>>> +@@ -322,6 +326,9 @@
>>> + * @throws OMException
>>> + */
>>> + protected OMNode createPI() throws OMException {
>>> ++ if (!allowDTDandPI) {
>>> ++ throw new OMException("Inbound message MUST NOT contain
>>> Processing Instructions(PI)");
>>> ++ }
>>> + OMNode node;
>>> + String target = parser.getPITarget();
>>> + String data = parser.getPIData();
>>> +@@ -337,6 +344,20 @@
>>> + return node;
>>> + }
>>> +
>>> ++
>>> ++ /**
>>> ++ * @return true if Document Type Definitions and Processing
>>> Instructions are allowed
>>> ++ */
>>> ++ public boolean isAllowDTDandPI() {
>>> ++ return allowDTDandPI;
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * @param allowDTDandPI boolean
>>> ++ */
>>> ++ public void setAllowDTDandPI(boolean allowDTDandPI) {
>>> ++ this.allowDTDandPI = allowDTDandPI;
>>> ++ }
>>> + protected void endElement() {
>>> + if (lastNode.isComplete()) {
>>> + OMNodeEx parent = (OMNodeEx) lastNode.getParent();
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>> (revision 0)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>> (revision 0)
>>> +@@ -0,0 +1,47 @@
>>> ++/*
>>> ++ * Licensed to the Apache Software Foundation (ASF) under one
>>> ++ * or more contributor license agreements. See the NOTICE file
>>> ++ * distributed with this work for additional information
>>> ++ * regarding copyright ownership. The ASF licenses this file
>>> ++ * to you under the Apache License, Version 2.0 (the
>>> ++ * "License"); you may not use this file except in compliance
>>> ++ * with the License. You may obtain a copy of the License at
>>> ++ *
>>> ++ * http://www.apache.org/licenses/LICENSE-2.0
>>> ++ *
>>> ++ * Unless required by applicable law or agreed to in writing,
>>> ++ * software distributed under the License is distributed on an
>>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> ++ * KIND, either express or implied. See the License for the
>>> ++ * specific language governing permissions and limitations
>>> ++ * under the License.
>>> ++ */
>>> ++package org.apache.axiom.om.util;
>>> ++
>>> ++import javax.xml.stream.XMLResolver;
>>> ++import javax.xml.stream.XMLStreamException;
>>> ++
>>> ++import org.apache.commons.logging.Log;
>>> ++import org.apache.commons.logging.LogFactory;
>>> ++
>>> ++/**
>>> ++ * This XMLResolver is used whenever a secure XMLStreamReader
>>> ++ * is needed. Basically it thows an exception if an attempt
>>> ++ * is made to read an entity.
>>> ++ */
>>> ++public final class SecureXMLResolver implements XMLResolver {
>>> ++
>>> ++ private static Log log =
>>> LogFactory.getLog(SecureXMLResolver.class);
>>> ++ public Object resolveEntity(String arg0, String arg1, String arg2,
>>> ++ String arg3) throws XMLStreamException {
>>> ++ // Note Scheu:
>>> ++ // Do not expose the name of the entity that was attempted
>>> to be
>>> ++ // read as this will reveal secure information to the client.
>>> ++ if (log.isDebugEnabled()) {
>>> ++ log.debug("resolveEntity is disabled because this is a
>>> secure XMLStreamReader(" +
>>> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" +
>>> arg3 + ")");
>>> ++ }
>>> ++ throw new XMLStreamException("Reading external entities is
>>> disabled");
>>> ++ }
>>> ++
>>> ++}
>>> +\ No newline at end of file
>>> +
>>> +Property changes on:
>>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
>>>
>>> +___________________________________________________________________
>>> +Name: svn:mime-type
>>> + + text/plain
>>> +Name: svn:keywords
>>> + + Date Revision
>>> +Name: svn:eol-style
>>> + + native
>>> +
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> (revision 949978)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> (working copy)
>>> +@@ -113,6 +113,39 @@
>>> + }
>>> + });
>>> +
>>> ++ private static final Pool secureXmlInputFactoryPool =
>>> ++ new Pool(new ObjectCreator[] { new ObjectCreator() {
>>> ++ public Object newObject() {
>>> ++ return AccessController.doPrivileged(new PrivilegedAction() {
>>> ++ public Object run() {
>>> ++ // return
>>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
>>> StAXUtils.class.getClassLoader());
>>> ++ // TODO: Refactor this code when the FactoryFinder.class in
>>> XLXP fixed and used instead of the Axis2-bundle version
>>> ++ // Try to simulate the above to create XMLInputFactory using
>>> the specific classloader
>>> ++ // This it not quite the same since it will modify the
>>> classloader for all classes
>>> ++ Thread currentThread = Thread.currentThread();
>>> ++ ClassLoader savedClassLoader =
>>> currentThread.getContextClassLoader();
>>> ++ XMLInputFactory factory = null;
>>> ++ try {
>>> ++
>>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
>>> ++ factory = XMLInputFactory.newInstance();
>>> ++
>>> ++ // The following setting disabled external entities...which
>>> is a requirement
>>> ++ // for network xml reading.
>>> ++ setSecureProperties(factory);
>>> ++ } finally {
>>> ++ currentThread.setContextClassLoader(savedClassLoader);
>>> ++ }
>>> ++ return factory;
>>> ++ }
>>> ++ });
>>> ++ }
>>> ++ }, new ObjectCreator() {
>>> ++ public Object newObject() {
>>> ++ return XMLInputFactory.newInstance();
>>> ++ }
>>> ++ } });
>>> ++
>>> ++
>>> + private static final Pool xmlOutputFactoryPool = new Pool(new
>>> ObjectCreator[] {
>>> + new ObjectCreator() {
>>> + public Object newObject() {
>>> +@@ -144,6 +177,106 @@
>>> + }
>>> + }
>>> + });
>>> ++
>>> ++ /**
>>> ++ * Gets an XMLInputFactory instance from pool.
>>> ++ *
>>> ++ * @return an XMLInputFactory instance.
>>> ++ */
>>> ++ private static XMLInputFactory getSecureXMLInputFactory() {
>>> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Returns an XMLInputFactory instance for reuse.
>>> ++ *
>>> ++ * @param factory An XMLInputFactory instance that is available
>>> for reuse
>>> ++ */
>>> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory
>>> factory) {
>>> ++ secureXmlInputFactoryPool.releaseInstance(factory);
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Create an XMLStreamReader that will be used to read a stream for
>>> ++ * an incoming message. We need to use more restrictive "secure"
>>> properties
>>> ++ * to ensure against attacks.
>>> ++ * @param in
>>> ++ * @param encoding
>>> ++ * @return
>>> ++ * @throws XMLStreamException
>>> ++ */
>>> ++ public static XMLStreamReader
>>> createSecureXMLStreamReader(InputStream in, String encoding)
>>> ++ throws XMLStreamException {
>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>> ++ try {
>>> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
>>> encoding);
>>> ++ if (isDebugEnabled) {
>>> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
>>> ++ }
>>> ++ return reader;
>>> ++ } finally {
>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>> ++ }
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Create an XMLStreamReader that will be used to read a
>>> stream for
>>> ++ * an incoming message. We need to use more restrictive
>>> "secure" properties
>>> ++ * to ensure against attacks.
>>> ++ * @param in
>>> ++ * @return
>>> ++ * @throws XMLStreamException
>>> ++ */
>>> ++ public static XMLStreamReader
>>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>> ++ try {
>>> ++ XMLStreamReader reader =
>>> inputFactory.createXMLStreamReader(in);
>>> ++ if (isDebugEnabled) {
>>> ++ log.debug("XMLStreamReader is " +
>>> reader.getClass().getName());
>>> ++ }
>>> ++ return reader;
>>> ++ } finally {
>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>> ++ }
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Create an XMLStreamReader that will be used to read a
>>> stream for
>>> ++ * an incoming message. We need to use more restrictive
>>> "secure" properties
>>> ++ * to ensure against attacks.
>>> ++ *
>>> ++ * @param in
>>> ++ * @return
>>> ++ * @throws XMLStreamException
>>> ++ */
>>> ++ public static XMLStreamReader
>>> createSecureXMLStreamReader(Reader in) throws XMLStreamException {
>>> ++ XMLInputFactory inputFactory = getXMLInputFactory();
>>> ++ try {
>>> ++ XMLStreamReader reader =
>>> inputFactory.createXMLStreamReader(in);
>>> ++ if (isDebugEnabled) {
>>> ++ log.debug("XMLStreamReader is " +
>>> reader.getClass().getName());
>>> ++ }
>>> ++ return reader;
>>> ++ } finally {
>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>> ++ }
>>> ++ }
>>> ++
>>> ++ private static void setSecureProperties(XMLInputFactory f) {
>>> ++ // The goal is to prevent tampering of the message
>>> ++ // by external entities or denial of service
>>> ++ // replacing entities.
>>> ++ // Setting the following properties ensures this goal
>>> ++
>>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
>>> ++ Boolean.FALSE);
>>> ++
>>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
>>> ++ Boolean.FALSE);
>>> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
>>> ++ Boolean.FALSE);
>>> ++ f.setXMLResolver(new SecureXMLResolver());
>>> ++ }
>>> ++
>>> ++
>>> +
>>> +
>>> + private static Log log = LogFactory.getLog(StAXUtils.class);
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> Binary file - no diff available.
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> svn:mime-type = application/java-archive
>>>
>>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> (added)
>>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,30 @@
>>> +Private Build of Axiom 1.2.5 for Geronimo.
>>> +
>>> +How to build Axiom 1.2.5
>>> +---------------------------------
>>> + Checkout the Axiom 1.2.5 tag
>>> + svn co
>>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
>>> +
>>> +
>>> +Apply the patch
>>> +-----------------
>>> + cd 1_2_5
>>> + patch -p0 -i axiom_api.patch
>>> +
>>> +Build Axiom 1.2.5
>>> +---------------
>>> + cd 1_2_5
>>> + mvn install
>>> +
>>> +Notes:
>>> + - Use Sun 1.5.x and Maven 2.0.9 build.
>>> +
>>> +
>>> +Patch Information
>>> +-----------------
>>> + axiom_api.patch - contains fixes for AXIS2-4450
>>> +
>>> +Copy patched jar files to appropriate locations
>>> +-----------------------------------------------
>>> + cd 1_2_5
>>> + cp
>>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> \ No newline at end of file
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>> svn:eol-style = native
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>> svn:keywords = Date Revision
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>> svn:mime-type = text/plain
>>>
>>>
>>>
>>>
>>>
>>
>>
>
|