geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick McGuire <rick...@gmail.com>
Subject Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache: axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/ ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Date Thu, 10 Jun 2010 14:09:46 GMT
On 6/10/2010 9:53 AM, Donald Woods wrote:
> But we're going to instruct existing 2.1.x users to copy it over the
> existing jars in the server repository, right?  Or are we going to
> instruct them to create an artifact-alias entry to map all usage to the
> new one (which may not work in all cases....)?
>    

Using artifact-alias has been sort of an assumption in all of the 
discussions I've seen.  Giving two versions of a jar the same name seems 
like a recipe for disaster.

Rick

>
> -Donald
>
>
> On 6/10/10 9:10 AM, Rick McGuire wrote:
>    
>> Ashish,
>>
>> I think there are a couple of changes that need to be made for this update:
>>
>> 1)  Since we're likely going to be making the Axis2 jar available for
>> download before we have the release complete, the timestamp in the jar
>> name should be updated so the different versions can be easily
>> distinguished.
>> 2)  The checked in axiom jar should also carry a timestamp modifier
>> (e.g., axiom-api-1.2.5-20100610).
>>
>> Rick
>>
>> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
>>      
>>> Author: ashishjain
>>> Date: Thu Jun 10 08:45:57 2010
>>> New Revision: 953250
>>>
>>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
>>> Log:
>>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>>>
>>> Added:
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>       geronimo/server/branches/2.1/repository/org/apache/ws/
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>       geronimo/server/branches/2.1/repository/org/apache/ws/commons/
>>>       geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
>>>
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
>>>
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>> (with props)
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> (with props)
>>> Modified:
>>>       geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>
>>>
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> (original)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> Thu Jun 10 08:45:57 2010
>>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
>>>    How to build Axis2 1.3-G20090406:
>>>    ---------------------------------
>>>     Checkout the Axis2 1.3 tag
>>> -   svn co
>>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
>>> axis2-1.3
>>> +   svn co
>>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>>>
>>>
>>>    Apply the patches
>>> @@ -14,6 +14,7 @@ Apply the patches
>>>     patch -p0 -i metadata.patch
>>>     patch -p0 -i jaxws.patch
>>>     patch -p0 -i kernel.patch
>>> + patch -p0 -i builder.patch
>>>
>>>    Build Axis2 1.3
>>>    ---------------
>>> @@ -32,6 +33,7 @@ Patch Information
>>>     metadata.patch - contains fixes for SEI with overloaded methods
>>>     jaxws.patch    - contains fixes for AXIS2-3343 and RESTful invocations
>>>     kernel.patch   - contains fixes for AXIS2-4279
>>> + builder.patch  - contains fixes for AXIS2-4450
>>>
>>>    Copy patched jar files to appropriate locations
>>>    -----------------------------------------------
>>>
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
>>>
>>> ==============================================================================
>>>
>>> Binary files - no diff available.
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> (added)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,132 @@
>>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> (working copy)
>>> +@@ -192,9 +192,9 @@
>>> +     public static StAXBuilder getPOXBuilder(InputStream inStream,
>>> String charSetEnc)
>>> +             throws XMLStreamException {
>>> +         StAXBuilder builder;
>>> +-        XMLStreamReader xmlreader =
>>> +-                StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> +-        builder = new StAXOMBuilder(xmlreader);
>>> ++        XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> ++        builder = new StAXOMBuilder(xmlReader);
>>> ++        ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> +         return builder;
>>> +     }
>>> +
>>> +@@ -374,7 +374,7 @@
>>> +             PushbackInputStream pis =
>>> getPushbackInputStream(attachments.getSOAPPartInputStream());
>>> +             String actualCharSetEncoding = getCharSetEncoding(pis,
>>> charSetEncoding);
>>> +
>>> +-            streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++            streamReader =
>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>> +         } catch (IOException e) {
>>> +             throw new XMLStreamException(e);
>>> +         }
>>> +@@ -414,13 +414,16 @@
>>> +                 XOPAwareStAXOMBuilder stAXOMBuilder = new
>>> XOPAwareStAXOMBuilder(
>>> +                         streamReader, attachments);
>>> +                 builder = stAXOMBuilder;
>>> ++                ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> +
>>> +             } else if (attachments.getAttachmentSpecType().equals(
>>> +                     MTOMConstants.SWA_TYPE)) {
>>> +                 builder = new StAXOMBuilder(streamReader);
>>> ++                ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> +             } else if (attachments.getAttachmentSpecType().equals(
>>> +                     MTOMConstants.SWA_TYPE_12)) {
>>> +                 builder = new StAXOMBuilder(streamReader);
>>> ++                ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> +             }
>>> +         }
>>> +
>>> +@@ -531,8 +534,8 @@
>>> +      * @deprecated If some one really need this method, please shout.
>>> +      */
>>> +     public static StAXBuilder getBuilder(Reader in) throws
>>> XMLStreamException {
>>> +-        XMLStreamReader xmlreader =
>>> StAXUtils.createXMLStreamReader(in);
>>> +-        StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
>>> null);
>>> ++        XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(in);
>>> ++        StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
>>> null);
>>> +         return builder;
>>> +     }
>>> +
>>> +@@ -544,8 +547,10 @@
>>> +      * @throws XMLStreamException
>>> +      */
>>> +     public static StAXBuilder getBuilder(InputStream inStream)
>>> throws XMLStreamException {
>>> +-        XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream);
>>> +-        return new StAXOMBuilder(xmlReader);
>>> ++         XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>> ++         StAXBuilder builder = new StAXOMBuilder(xmlReader);
>>> ++         ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> ++         return builder;
>>> +     }
>>> +
>>> +     /**
>>> +@@ -558,7 +563,7 @@
>>> +      */
>>> +     public static StAXBuilder getBuilder(InputStream inStream,
>>> String charSetEnc)
>>> +             throws XMLStreamException {
>>> +-        XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> ++        XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> +         try {
>>> +             StAXBuilder builder =  new StAXSOAPModelBuilder(xmlReader);
>>> +             return builder;
>>> +@@ -580,7 +585,7 @@
>>> +      * @throws XMLStreamException
>>> +      */
>>> +     public static StAXBuilder getSOAPBuilder(InputStream inStream)
>>> throws XMLStreamException {
>>> +-        XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream);
>>> ++            XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>> +         try {
>>> +             StAXBuilder builder =  new StAXSOAPModelBuilder(xmlReader);
>>> +             return builder;
>>> +@@ -604,7 +609,7 @@
>>> +      */
>>> +     public static StAXBuilder getSOAPBuilder(InputStream inStream,
>>> String charSetEnc)
>>> +             throws XMLStreamException {
>>> +-        XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> ++        XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> +         try {
>>> +             StAXBuilder builder =  new StAXSOAPModelBuilder(xmlReader);
>>> +             return builder;
>>> +@@ -621,8 +626,9 @@
>>> +     public static StAXBuilder getBuilder(SOAPFactory soapFactory,
>>> InputStream in, String charSetEnc)
>>> +             throws XMLStreamException {
>>> +         StAXBuilder builder;
>>> +-        XMLStreamReader xmlreader =
>>> StAXUtils.createXMLStreamReader(in, charSetEnc);
>>> +-        builder = new StAXOMBuilder(soapFactory, xmlreader);
>>> ++        XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
>>> ++        builder = new StAXOMBuilder(soapFactory, xmlReader);
>>> ++                ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> +         return builder;
>>> +     }
>>> +
>>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> (working copy)
>>> +@@ -51,7 +51,7 @@
>>> +             String actualCharSetEncoding =
>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>> +
>>> +             // Get the XMLStreamReader for this input stream
>>> +-            streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++            streamReader= StAXUtils.createSecureXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> +             StAXBuilder builder = new
>>> MTOMStAXSOAPModelBuilder(streamReader,
>>> +                     attachments);
>>> +             SOAPEnvelope envelope = (SOAPEnvelope)
>>> builder.getDocumentElement();
>>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> (working copy)
>>> +@@ -48,7 +48,7 @@
>>> +             String actualCharSetEncoding =
>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>> +
>>> +             // Get the XMLStreamReader for this input stream
>>> +-            streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++            streamReader =
>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>> +
>>> +             StAXBuilder builder = new
>>> StAXSOAPModelBuilder(streamReader);
>>> +             SOAPEnvelope envelope = (SOAPEnvelope)
>>> builder.getDocumentElement();
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> (added)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,267 @@
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>> (revision 949978)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>> (working copy)
>>> +@@ -52,6 +52,7 @@
>>> +     private static final Log log =
>>> LogFactory.getLog(StAXOMBuilder.class);
>>> +     private boolean doTrace = log.isDebugEnabled();
>>> +     private static int nsCount = 0;
>>> ++    boolean allowDTDandPI = true;
>>> +
>>> +     /**
>>> +      * Constructor StAXOMBuilder.
>>> +@@ -309,6 +310,9 @@
>>> +      * @throws OMException
>>> +      */
>>> +     protected OMNode createDTD() throws OMException {
>>> ++         if (!allowDTDandPI) {
>>> ++             throw new OMException("Inbound message MUST NOT contain
>>> a Document Type Declaration(DTD)");
>>> ++             }
>>> +         if (!parser.hasText())
>>> +             return null;
>>> +         lastNode = omfactory.createOMDocType(document,
>>> parser.getText());
>>> +@@ -322,6 +326,9 @@
>>> +      * @throws OMException
>>> +      */
>>> +     protected OMNode createPI() throws OMException {
>>> ++        if (!allowDTDandPI) {
>>> ++            throw new OMException("Inbound message MUST NOT contain
>>> Processing Instructions(PI)");
>>> ++            }
>>> +         OMNode node;
>>> +         String target = parser.getPITarget();
>>> +         String data = parser.getPIData();
>>> +@@ -337,6 +344,20 @@
>>> +         return node;
>>> +     }
>>> +
>>> ++
>>> ++    /**
>>> ++    * @return true if Document Type Definitions and Processing
>>> Instructions are allowed
>>> ++    */
>>> ++    public boolean isAllowDTDandPI() {
>>> ++    return allowDTDandPI;
>>> ++    }
>>> ++
>>> ++    /**
>>> ++    * @param allowDTDandPI boolean
>>> ++    */
>>> ++    public void setAllowDTDandPI(boolean allowDTDandPI) {
>>> ++    this.allowDTDandPI = allowDTDandPI;
>>> ++    }
>>> +     protected void endElement() {
>>> +         if (lastNode.isComplete()) {
>>> +             OMNodeEx parent = (OMNodeEx) lastNode.getParent();
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>> (revision 0)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>> (revision 0)
>>> +@@ -0,0 +1,47 @@
>>> ++/*
>>> ++ * Licensed to the Apache Software Foundation (ASF) under one
>>> ++ * or more contributor license agreements. See the NOTICE file
>>> ++ * distributed with this work for additional information
>>> ++ * regarding copyright ownership. The ASF licenses this file
>>> ++ * to you under the Apache License, Version 2.0 (the
>>> ++ * "License"); you may not use this file except in compliance
>>> ++ * with the License. You may obtain a copy of the License at
>>> ++ *
>>> ++ * http://www.apache.org/licenses/LICENSE-2.0
>>> ++ *
>>> ++ * Unless required by applicable law or agreed to in writing,
>>> ++ * software distributed under the License is distributed on an
>>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> ++ * KIND, either express or implied. See the License for the
>>> ++ * specific language governing permissions and limitations
>>> ++ * under the License.
>>> ++ */
>>> ++package org.apache.axiom.om.util;
>>> ++
>>> ++import javax.xml.stream.XMLResolver;
>>> ++import javax.xml.stream.XMLStreamException;
>>> ++
>>> ++import org.apache.commons.logging.Log;
>>> ++import org.apache.commons.logging.LogFactory;
>>> ++
>>> ++/**
>>> ++ * This XMLResolver is used whenever a secure XMLStreamReader
>>> ++ * is needed.  Basically it thows an exception if an attempt
>>> ++ * is made to read an entity.
>>> ++ */
>>> ++public final class SecureXMLResolver implements XMLResolver {
>>> ++
>>> ++    private static Log log =
>>> LogFactory.getLog(SecureXMLResolver.class);
>>> ++    public Object resolveEntity(String arg0, String arg1, String arg2,
>>> ++            String arg3) throws XMLStreamException {
>>> ++        // Note Scheu:
>>> ++        // Do not expose the name of the entity that was attempted
>>> to be
>>> ++        // read as this will reveal secure information to the client.
>>> ++        if (log.isDebugEnabled()) {
>>> ++            log.debug("resolveEntity is disabled because this is a
>>> secure XMLStreamReader(" +
>>> ++                    arg0 + ") (" + arg1 + ") (" + arg2   + ") (" +
>>> arg3 + ")");
>>> ++        }
>>> ++        throw new XMLStreamException("Reading external entities is
>>> disabled");
>>> ++    }
>>> ++
>>> ++}
>>> +\ No newline at end of file
>>> +
>>> +Property changes on:
>>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
>>>
>>> +___________________________________________________________________
>>> +Name: svn:mime-type
>>> +   + text/plain
>>> +Name: svn:keywords
>>> +   + Date Revision
>>> +Name: svn:eol-style
>>> +   + native
>>> +
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> (revision 949978)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> (working copy)
>>> +@@ -113,6 +113,39 @@
>>> +             }
>>> +     });
>>> +
>>> ++    private static final Pool secureXmlInputFactoryPool =
>>> ++        new Pool(new ObjectCreator[] { new ObjectCreator() {
>>> ++        public Object newObject() {
>>> ++        return AccessController.doPrivileged(new PrivilegedAction() {
>>> ++        public Object run() {
>>> ++         // return
>>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
>>> StAXUtils.class.getClassLoader());
>>> ++         // TODO: Refactor this code when the FactoryFinder.class in
>>> XLXP fixed and used instead of the Axis2-bundle version
>>> ++        // Try to simulate the above to create XMLInputFactory using
>>> the specific classloader
>>> ++        // This it not quite the same since it will modify the
>>> classloader for all classes
>>> ++        Thread currentThread = Thread.currentThread();
>>> ++        ClassLoader savedClassLoader =
>>> currentThread.getContextClassLoader();
>>> ++        XMLInputFactory factory = null;
>>> ++        try {
>>> ++
>>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
>>> ++            factory = XMLInputFactory.newInstance();
>>> ++
>>> ++        // The following setting disabled external entities...which
>>> is a requirement
>>> ++        // for network xml reading.
>>> ++        setSecureProperties(factory);
>>> ++        } finally {
>>> ++         currentThread.setContextClassLoader(savedClassLoader);
>>> ++        }
>>> ++        return factory;
>>> ++        }
>>> ++        });
>>> ++        }
>>> ++        }, new ObjectCreator() {
>>> ++         public Object newObject() {
>>> ++        return XMLInputFactory.newInstance();
>>> ++        }
>>> ++        } });
>>> ++
>>> ++
>>> +     private static final Pool xmlOutputFactoryPool = new Pool(new
>>> ObjectCreator[] {
>>> +             new ObjectCreator() {
>>> +                 public Object newObject() {
>>> +@@ -144,6 +177,106 @@
>>> +                 }
>>> +             }
>>> +     });
>>> ++
>>> ++     /**
>>> ++    * Gets an XMLInputFactory instance from pool.
>>> ++    *
>>> ++    * @return an XMLInputFactory instance.
>>> ++    */
>>> ++    private static XMLInputFactory getSecureXMLInputFactory() {
>>> ++    return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
>>> ++    }
>>> ++
>>> ++    /**
>>> ++    * Returns an XMLInputFactory instance for reuse.
>>> ++    *
>>> ++    * @param factory An XMLInputFactory instance that is available
>>> for reuse
>>> ++    */
>>> ++    private static void releaseSecureXMLInputFactory(XMLInputFactory
>>> factory) {
>>> ++     secureXmlInputFactoryPool.releaseInstance(factory);
>>> ++    }
>>> ++
>>> ++    /**
>>> ++    * Create an XMLStreamReader that will be used to read a stream for
>>> ++    * an incoming message.  We need to use more restrictive "secure"
>>> properties
>>> ++    * to ensure against attacks.
>>> ++    * @param in
>>> ++    * @param encoding
>>> ++    * @return
>>> ++    * @throws XMLStreamException
>>> ++    */
>>> ++    public static XMLStreamReader
>>> createSecureXMLStreamReader(InputStream in, String encoding)
>>> ++    throws XMLStreamException {
>>> ++    XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>> ++    try {
>>> ++    XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
>>> encoding);
>>> ++    if (isDebugEnabled) {
>>> ++    log.debug("XMLStreamReader is " + reader.getClass().getName());
>>> ++    }
>>> ++    return reader;
>>> ++    } finally {
>>> ++     releaseSecureXMLInputFactory(inputFactory);
>>> ++            }
>>> ++     }
>>> ++
>>> ++        /**
>>> ++         * Create an XMLStreamReader that will be used to read a
>>> stream for
>>> ++         * an incoming message.  We need to use more restrictive
>>> "secure" properties
>>> ++         * to ensure against attacks.
>>> ++         * @param in
>>> ++         * @return
>>> ++         * @throws XMLStreamException
>>> ++         */
>>> ++        public static XMLStreamReader
>>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
>>> ++            XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>> ++            try {
>>> ++                XMLStreamReader reader =
>>> inputFactory.createXMLStreamReader(in);
>>> ++                if (isDebugEnabled) {
>>> ++                    log.debug("XMLStreamReader is " +
>>> reader.getClass().getName());
>>> ++                }
>>> ++                return reader;
>>> ++            } finally {
>>> ++                releaseSecureXMLInputFactory(inputFactory);
>>> ++            }
>>> ++        }
>>> ++
>>> ++        /**
>>> ++         * Create an XMLStreamReader that will be used to read a
>>> stream for
>>> ++         * an incoming message.  We need to use more restrictive
>>> "secure" properties
>>> ++         * to ensure against attacks.
>>> ++         *
>>> ++         * @param in
>>> ++         * @return
>>> ++         * @throws XMLStreamException
>>> ++         */
>>> ++        public static XMLStreamReader
>>> createSecureXMLStreamReader(Reader in) throws XMLStreamException {
>>> ++            XMLInputFactory inputFactory = getXMLInputFactory();
>>> ++            try {
>>> ++                XMLStreamReader reader =
>>> inputFactory.createXMLStreamReader(in);
>>> ++                if (isDebugEnabled) {
>>> ++                    log.debug("XMLStreamReader is " +
>>> reader.getClass().getName());
>>> ++                }
>>> ++                return reader;
>>> ++            } finally {
>>> ++                releaseSecureXMLInputFactory(inputFactory);
>>> ++            }
>>> ++        }
>>> ++
>>> ++        private static void setSecureProperties(XMLInputFactory f) {
>>> ++            // The goal is to prevent tampering of the message
>>> ++                  // by external entities or denial of service
>>> ++                  // replacing entities.
>>> ++                  // Setting the following properties ensures this goal
>>> ++
>>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
>>> ++                          Boolean.FALSE);
>>> ++
>>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
>>> ++                          Boolean.FALSE);
>>> ++                  f.setProperty(XMLInputFactory.SUPPORT_DTD,
>>> ++                          Boolean.FALSE);
>>> ++                  f.setXMLResolver(new SecureXMLResolver());
>>> ++              }
>>> ++
>>> ++
>>> +
>>> +
>>> +     private static Log log = LogFactory.getLog(StAXUtils.class);
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> Binary file - no diff available.
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>       svn:mime-type = application/java-archive
>>>
>>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> (added)
>>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,30 @@
>>> +Private Build of Axiom 1.2.5 for Geronimo.
>>> +
>>> +How to build Axiom 1.2.5
>>> +---------------------------------
>>> + Checkout the Axiom 1.2.5 tag
>>> +   svn co
>>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
>>> +
>>> +
>>> +Apply the patch
>>> +-----------------
>>> + cd 1_2_5
>>> + patch -p0 -i axiom_api.patch
>>> +
>>> +Build Axiom 1.2.5
>>> +---------------
>>> + cd 1_2_5
>>> + mvn install
>>> +
>>> +Notes:
>>> +  - Use Sun 1.5.x and Maven 2.0.9 build.
>>> +
>>> +
>>> +Patch Information
>>> +-----------------
>>> +  axiom_api.patch  - contains fixes for AXIS2-4450
>>> +
>>> +Copy patched jar files to appropriate locations
>>> +-----------------------------------------------
>>> +  cd 1_2_5
>>> +  cp
>>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> \ No newline at end of file
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>>       svn:eol-style = native
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>>       svn:keywords = Date Revision
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>>       svn:mime-type = text/plain
>>>
>>>
>>>
>>>
>>>        
>>
>>      
>    


Mime
View raw message