geronimo-dev mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	Ashish Jain <ashja...@gmail.com>
Subject	Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache: axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/ ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Date	Thu, 10 Jun 2010 14:31:22 GMT
Sure rick I will modify the timestamp for the jars to new values. On Thu, Jun 10, 2010 at 7:39 PM, Rick McGuire <rickmcg@gmail.com> wrote: > On 6/10/2010 9:53 AM, Donald Woods wrote: > >> But we're going to instruct existing 2.1.x users to copy it over the >> existing jars in the server repository, right? Or are we going to >> instruct them to create an artifact-alias entry to map all usage to the >> new one (which may not work in all cases....)? >> >> > > Using artifact-alias has been sort of an assumption in all of the > discussions I've seen. Giving two versions of a jar the same name seems > like a recipe for disaster. > > Rick > > > >> -Donald >> >> >> On 6/10/10 9:10 AM, Rick McGuire wrote: >> >> >>> Ashish, >>> >>> I think there are a couple of changes that need to be made for this >>> update: >>> >>> 1) Since we're likely going to be making the Axis2 jar available for >>> download before we have the release complete, the timestamp in the jar >>> name should be updated so the different versions can be easily >>> distinguished. >>> 2) The checked in axiom jar should also carry a timestamp modifier >>> (e.g., axiom-api-1.2.5-20100610). >>> >>> Rick >>> >>> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote: >>> >>> >>>> Author: ashishjain >>>> Date: Thu Jun 10 08:45:57 2010 >>>> New Revision: 953250 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev >>>> Log: >>>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch >>>> >>>> Added: >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>>> geronimo/server/branches/2.1/repository/org/apache/ws/ >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/ >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/ >>>> >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/ >>>> >>>> >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/ >>>> >>>> >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>>> (with props) >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> (with props) >>>> Modified: >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>>> >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar >>>> >>>> >>>> Modified: >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff >>>> >>>> >>>> ============================================================================== >>>> >>>> --- >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>>> (original) >>>> +++ >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT >>>> Thu Jun 10 08:45:57 2010 >>>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo. >>>> How to build Axis2 1.3-G20090406: >>>> --------------------------------- >>>> Checkout the Axis2 1.3 tag >>>> - svn co >>>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/ >>>> axis2-1.3 >>>> + svn co >>>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3 >>>> >>>> >>>> Apply the patches >>>> @@ -14,6 +14,7 @@ Apply the patches >>>> patch -p0 -i metadata.patch >>>> patch -p0 -i jaxws.patch >>>> patch -p0 -i kernel.patch >>>> + patch -p0 -i builder.patch >>>> >>>> Build Axis2 1.3 >>>> --------------- >>>> @@ -32,6 +33,7 @@ Patch Information >>>> metadata.patch - contains fixes for SEI with overloaded methods >>>> jaxws.patch - contains fixes for AXIS2-3343 and RESTful >>>> invocations >>>> kernel.patch - contains fixes for AXIS2-4279 >>>> + builder.patch - contains fixes for AXIS2-4450 >>>> >>>> Copy patched jar files to appropriate locations >>>> ----------------------------------------------- >>>> >>>> Modified: >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar >>>> >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff >>>> >>>> >>>> ============================================================================== >>>> >>>> Binary files - no diff available. >>>> >>>> Added: >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto >>>> >>>> >>>> ============================================================================== >>>> >>>> --- >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>>> (added) >>>> +++ >>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch >>>> Thu Jun 10 08:45:57 2010 >>>> @@ -0,0 +1,132 @@ >>>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java >>>> +=================================================================== >>>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java >>>> (revision 952555) >>>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java >>>> (working copy) >>>> +@@ -192,9 +192,9 @@ >>>> + public static StAXBuilder getPOXBuilder(InputStream inStream, >>>> String charSetEnc) >>>> + throws XMLStreamException { >>>> + StAXBuilder builder; >>>> +- XMLStreamReader xmlreader = >>>> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc); >>>> +- builder = new StAXOMBuilder(xmlreader); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc); >>>> ++ builder = new StAXOMBuilder(xmlReader); >>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false); >>>> + return builder; >>>> + } >>>> + >>>> +@@ -374,7 +374,7 @@ >>>> + PushbackInputStream pis = >>>> getPushbackInputStream(attachments.getSOAPPartInputStream()); >>>> + String actualCharSetEncoding = getCharSetEncoding(pis, >>>> charSetEncoding); >>>> + >>>> +- streamReader = StAXUtils.createXMLStreamReader(pis, >>>> actualCharSetEncoding); >>>> ++ streamReader = >>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding); >>>> + } catch (IOException e) { >>>> + throw new XMLStreamException(e); >>>> + } >>>> +@@ -414,13 +414,16 @@ >>>> + XOPAwareStAXOMBuilder stAXOMBuilder = new >>>> XOPAwareStAXOMBuilder( >>>> + streamReader, attachments); >>>> + builder = stAXOMBuilder; >>>> ++ ((XOPAwareStAXOMBuilder) >>>> builder).setAllowDTDandPI(false); >>>> + >>>> + } else if (attachments.getAttachmentSpecType().equals( >>>> + MTOMConstants.SWA_TYPE)) { >>>> + builder = new StAXOMBuilder(streamReader); >>>> ++ ((XOPAwareStAXOMBuilder) >>>> builder).setAllowDTDandPI(false); >>>> + } else if (attachments.getAttachmentSpecType().equals( >>>> + MTOMConstants.SWA_TYPE_12)) { >>>> + builder = new StAXOMBuilder(streamReader); >>>> ++ ((XOPAwareStAXOMBuilder) >>>> builder).setAllowDTDandPI(false); >>>> + } >>>> + } >>>> + >>>> +@@ -531,8 +534,8 @@ >>>> + * @deprecated If some one really need this method, please shout. >>>> + / >>>> + public static StAXBuilder getBuilder(Reader in) throws >>>> XMLStreamException { >>>> +- XMLStreamReader xmlreader = >>>> StAXUtils.createXMLStreamReader(in); >>>> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader, >>>> null); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(in); >>>> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader, >>>> null); >>>> + return builder; >>>> + } >>>> + >>>> +@@ -544,8 +547,10 @@ >>>> + @throws XMLStreamException >>>> + / >>>> + public static StAXBuilder getBuilder(InputStream inStream) >>>> throws XMLStreamException { >>>> +- XMLStreamReader xmlReader = >>>> StAXUtils.createXMLStreamReader(inStream); >>>> +- return new StAXOMBuilder(xmlReader); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(inStream); >>>> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader); >>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false); >>>> ++ return builder; >>>> + } >>>> + >>>> + /* >>>> +@@ -558,7 +563,7 @@ >>>> + / >>>> + public static StAXBuilder getBuilder(InputStream inStream, >>>> String charSetEnc) >>>> + throws XMLStreamException { >>>> +- XMLStreamReader xmlReader = >>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc); >>>> + try { >>>> + StAXBuilder builder = new >>>> StAXSOAPModelBuilder(xmlReader); >>>> + return builder; >>>> +@@ -580,7 +585,7 @@ >>>> + @throws XMLStreamException >>>> + / >>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream) >>>> throws XMLStreamException { >>>> +- XMLStreamReader xmlReader = >>>> StAXUtils.createXMLStreamReader(inStream); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(inStream); >>>> + try { >>>> + StAXBuilder builder = new >>>> StAXSOAPModelBuilder(xmlReader); >>>> + return builder; >>>> +@@ -604,7 +609,7 @@ >>>> + / >>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream, >>>> String charSetEnc) >>>> + throws XMLStreamException { >>>> +- XMLStreamReader xmlReader = >>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc); >>>> + try { >>>> + StAXBuilder builder = new >>>> StAXSOAPModelBuilder(xmlReader); >>>> + return builder; >>>> +@@ -621,8 +626,9 @@ >>>> + public static StAXBuilder getBuilder(SOAPFactory soapFactory, >>>> InputStream in, String charSetEnc) >>>> + throws XMLStreamException { >>>> + StAXBuilder builder; >>>> +- XMLStreamReader xmlreader = >>>> StAXUtils.createXMLStreamReader(in, charSetEnc); >>>> +- builder = new StAXOMBuilder(soapFactory, xmlreader); >>>> ++ XMLStreamReader xmlReader = >>>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc); >>>> ++ builder = new StAXOMBuilder(soapFactory, xmlReader); >>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false); >>>> + return builder; >>>> + } >>>> + >>>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java >>>> +=================================================================== >>>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java >>>> (revision 952555) >>>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java >>>> (working copy) >>>> +@@ -51,7 +51,7 @@ >>>> + String actualCharSetEncoding = >>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding); >>>> + >>>> + // Get the XMLStreamReader for this input stream >>>> +- streamReader = StAXUtils.createXMLStreamReader(pis, >>>> actualCharSetEncoding); >>>> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis, >>>> actualCharSetEncoding); >>>> + StAXBuilder builder = new >>>> MTOMStAXSOAPModelBuilder(streamReader, >>>> + attachments); >>>> + SOAPEnvelope envelope = (SOAPEnvelope) >>>> builder.getDocumentElement(); >>>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java >>>> +=================================================================== >>>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java >>>> (revision 952555) >>>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java >>>> (working copy) >>>> +@@ -48,7 +48,7 @@ >>>> + String actualCharSetEncoding = >>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding); >>>> + >>>> + // Get the XMLStreamReader for this input stream >>>> +- streamReader = StAXUtils.createXMLStreamReader(pis, >>>> actualCharSetEncoding); >>>> ++ streamReader = >>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding); >>>> + >>>> + StAXBuilder builder = new >>>> StAXSOAPModelBuilder(streamReader); >>>> + SOAPEnvelope envelope = (SOAPEnvelope) >>>> builder.getDocumentElement(); >>>> >>>> Added: >>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto >>>> >>>> >>>> ============================================================================== >>>> >>>> --- >>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>>> (added) >>>> +++ >>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch >>>> Thu Jun 10 08:45:57 2010 >>>> @@ -0,0 +1,267 @@ >>>> +Index: >>>> >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java >>>> >>>> +=================================================================== >>>> +--- >>>> >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java >>>> (revision 949978) >>>> ++++ >>>> >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java >>>> (working copy) >>>> +@@ -52,6 +52,7 @@ >>>> + private static final Log log = >>>> LogFactory.getLog(StAXOMBuilder.class); >>>> + private boolean doTrace = log.isDebugEnabled(); >>>> + private static int nsCount = 0; >>>> ++ boolean allowDTDandPI = true; >>>> + >>>> + /** >>>> + * Constructor StAXOMBuilder. >>>> +@@ -309,6 +310,9 @@ >>>> + * @throws OMException >>>> + / >>>> + protected OMNode createDTD() throws OMException { >>>> ++ if (!allowDTDandPI) { >>>> ++ throw new OMException("Inbound message MUST NOT contain >>>> a Document Type Declaration(DTD)"); >>>> ++ } >>>> + if (!parser.hasText()) >>>> + return null; >>>> + lastNode = omfactory.createOMDocType(document, >>>> parser.getText()); >>>> +@@ -322,6 +326,9 @@ >>>> + @throws OMException >>>> + / >>>> + protected OMNode createPI() throws OMException { >>>> ++ if (!allowDTDandPI) { >>>> ++ throw new OMException("Inbound message MUST NOT contain >>>> Processing Instructions(PI)"); >>>> ++ } >>>> + OMNode node; >>>> + String target = parser.getPITarget(); >>>> + String data = parser.getPIData(); >>>> +@@ -337,6 +344,20 @@ >>>> + return node; >>>> + } >>>> + >>>> ++ >>>> ++ /* >>>> ++ * @return true if Document Type Definitions and Processing >>>> Instructions are allowed >>>> ++ / >>>> ++ public boolean isAllowDTDandPI() { >>>> ++ return allowDTDandPI; >>>> ++ } >>>> ++ >>>> ++ /* >>>> ++ * @param allowDTDandPI boolean >>>> ++ / >>>> ++ public void setAllowDTDandPI(boolean allowDTDandPI) { >>>> ++ this.allowDTDandPI = allowDTDandPI; >>>> ++ } >>>> + protected void endElement() { >>>> + if (lastNode.isComplete()) { >>>> + OMNodeEx parent = (OMNodeEx) lastNode.getParent(); >>>> +Index: >>>> >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java >>>> >>>> +=================================================================== >>>> +--- >>>> >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java >>>> (revision 0) >>>> ++++ >>>> >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java >>>> (revision 0) >>>> +@@ -0,0 +1,47 @@ >>>> ++/ >>>> ++ * Licensed to the Apache Software Foundation (ASF) under one >>>> ++ * or more contributor license agreements. See the NOTICE file >>>> ++ * distributed with this work for additional information >>>> ++ * regarding copyright ownership. The ASF licenses this file >>>> ++ * to you under the Apache License, Version 2.0 (the >>>> ++ * "License"); you may not use this file except in compliance >>>> ++ * with the License. You may obtain a copy of the License at >>>> ++ * >>>> ++ * http://www.apache.org/licenses/LICENSE-2.0 >>>> ++ * >>>> ++ * Unless required by applicable law or agreed to in writing, >>>> ++ * software distributed under the License is distributed on an >>>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY >>>> ++ * KIND, either express or implied. See the License for the >>>> ++ * specific language governing permissions and limitations >>>> ++ * under the License. >>>> ++ / >>>> ++package org.apache.axiom.om.util; >>>> ++ >>>> ++import javax.xml.stream.XMLResolver; >>>> ++import javax.xml.stream.XMLStreamException; >>>> ++ >>>> ++import org.apache.commons.logging.Log; >>>> ++import org.apache.commons.logging.LogFactory; >>>> ++ >>>> ++/* >>>> ++ * This XMLResolver is used whenever a secure XMLStreamReader >>>> ++ * is needed. Basically it thows an exception if an attempt >>>> ++ * is made to read an entity. >>>> ++ / >>>> ++public final class SecureXMLResolver implements XMLResolver { >>>> ++ >>>> ++ private static Log log = >>>> LogFactory.getLog(SecureXMLResolver.class); >>>> ++ public Object resolveEntity(String arg0, String arg1, String arg2, >>>> ++ String arg3) throws XMLStreamException { >>>> ++ // Note Scheu: >>>> ++ // Do not expose the name of the entity that was attempted >>>> to be >>>> ++ // read as this will reveal secure information to the client. >>>> ++ if (log.isDebugEnabled()) { >>>> ++ log.debug("resolveEntity is disabled because this is a >>>> secure XMLStreamReader(" + >>>> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" + >>>> arg3 + ")"); >>>> ++ } >>>> ++ throw new XMLStreamException("Reading external entities is >>>> disabled"); >>>> ++ } >>>> ++ >>>> ++} >>>> +\ No newline at end of file >>>> + >>>> +Property changes on: >>>> >>>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java >>>> >>>> +___________________________________________________________________ >>>> +Name: svn:mime-type >>>> + + text/plain >>>> +Name: svn:keywords >>>> + + Date Revision >>>> +Name: svn:eol-style >>>> + + native >>>> + >>>> +Index: >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java >>>> +=================================================================== >>>> +--- >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java >>>> (revision 949978) >>>> ++++ >>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java >>>> (working copy) >>>> +@@ -113,6 +113,39 @@ >>>> + } >>>> + }); >>>> + >>>> ++ private static final Pool secureXmlInputFactoryPool = >>>> ++ new Pool(new ObjectCreator[] { new ObjectCreator() { >>>> ++ public Object newObject() { >>>> ++ return AccessController.doPrivileged(new PrivilegedAction() { >>>> ++ public Object run() { >>>> ++ // return >>>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory", >>>> StAXUtils.class.getClassLoader()); >>>> ++ // TODO: Refactor this code when the FactoryFinder.class in >>>> XLXP fixed and used instead of the Axis2-bundle version >>>> ++ // Try to simulate the above to create XMLInputFactory using >>>> the specific classloader >>>> ++ // This it not quite the same since it will modify the >>>> classloader for all classes >>>> ++ Thread currentThread = Thread.currentThread(); >>>> ++ ClassLoader savedClassLoader = >>>> currentThread.getContextClassLoader(); >>>> ++ XMLInputFactory factory = null; >>>> ++ try { >>>> ++ >>>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader()); >>>> ++ factory = XMLInputFactory.newInstance(); >>>> ++ >>>> ++ // The following setting disabled external entities...which >>>> is a requirement >>>> ++ // for network xml reading. >>>> ++ setSecureProperties(factory); >>>> ++ } finally { >>>> ++ currentThread.setContextClassLoader(savedClassLoader); >>>> ++ } >>>> ++ return factory; >>>> ++ } >>>> ++ }); >>>> ++ } >>>> ++ }, new ObjectCreator() { >>>> ++ public Object newObject() { >>>> ++ return XMLInputFactory.newInstance(); >>>> ++ } >>>> ++ } }); >>>> ++ >>>> ++ >>>> + private static final Pool xmlOutputFactoryPool = new Pool(new >>>> ObjectCreator[] { >>>> + new ObjectCreator() { >>>> + public Object newObject() { >>>> +@@ -144,6 +177,106 @@ >>>> + } >>>> + } >>>> + }); >>>> ++ >>>> ++ /* >>>> ++ * Gets an XMLInputFactory instance from pool. >>>> ++ * >>>> ++ * @return an XMLInputFactory instance. >>>> ++ / >>>> ++ private static XMLInputFactory getSecureXMLInputFactory() { >>>> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance(); >>>> ++ } >>>> ++ >>>> ++ /* >>>> ++ * Returns an XMLInputFactory instance for reuse. >>>> ++ * >>>> ++ * @param factory An XMLInputFactory instance that is available >>>> for reuse >>>> ++ / >>>> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory >>>> factory) { >>>> ++ secureXmlInputFactoryPool.releaseInstance(factory); >>>> ++ } >>>> ++ >>>> ++ /* >>>> ++ * Create an XMLStreamReader that will be used to read a stream for >>>> ++ * an incoming message. We need to use more restrictive "secure" >>>> properties >>>> ++ * to ensure against attacks. >>>> ++ * @param in >>>> ++ * @param encoding >>>> ++ * @return >>>> ++ * @throws XMLStreamException >>>> ++ / >>>> ++ public static XMLStreamReader >>>> createSecureXMLStreamReader(InputStream in, String encoding) >>>> ++ throws XMLStreamException { >>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory(); >>>> ++ try { >>>> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in, >>>> encoding); >>>> ++ if (isDebugEnabled) { >>>> ++ log.debug("XMLStreamReader is " + reader.getClass().getName()); >>>> ++ } >>>> ++ return reader; >>>> ++ } finally { >>>> ++ releaseSecureXMLInputFactory(inputFactory); >>>> ++ } >>>> ++ } >>>> ++ >>>> ++ /* >>>> ++ * Create an XMLStreamReader that will be used to read a >>>> stream for >>>> ++ * an incoming message. We need to use more restrictive >>>> "secure" properties >>>> ++ * to ensure against attacks. >>>> ++ * @param in >>>> ++ * @return >>>> ++ * @throws XMLStreamException >>>> ++ / >>>> ++ public static XMLStreamReader >>>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException { >>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory(); >>>> ++ try { >>>> ++ XMLStreamReader reader = >>>> inputFactory.createXMLStreamReader(in); >>>> ++ if (isDebugEnabled) { >>>> ++ log.debug("XMLStreamReader is " + >>>> reader.getClass().getName()); >>>> ++ } >>>> ++ return reader; >>>> ++ } finally { >>>> ++ releaseSecureXMLInputFactory(inputFactory); >>>> ++ } >>>> ++ } >>>> ++ >>>> ++ /* >>>> ++ * Create an XMLStreamReader that will be used to read a >>>> stream for >>>> ++ * an incoming message. We need to use more restrictive >>>> "secure" properties >>>> ++ * to ensure against attacks. >>>> ++ * >>>> ++ * @param in >>>> ++ * @return >>>> ++ * @throws XMLStreamException >>>> ++ */ >>>> ++ public static XMLStreamReader >>>> createSecureXMLStreamReader(Reader in) throws XMLStreamException { >>>> ++ XMLInputFactory inputFactory = getXMLInputFactory(); >>>> ++ try { >>>> ++ XMLStreamReader reader = >>>> inputFactory.createXMLStreamReader(in); >>>> ++ if (isDebugEnabled) { >>>> ++ log.debug("XMLStreamReader is " + >>>> reader.getClass().getName()); >>>> ++ } >>>> ++ return reader; >>>> ++ } finally { >>>> ++ releaseSecureXMLInputFactory(inputFactory); >>>> ++ } >>>> ++ } >>>> ++ >>>> ++ private static void setSecureProperties(XMLInputFactory f) { >>>> ++ // The goal is to prevent tampering of the message >>>> ++ // by external entities or denial of service >>>> ++ // replacing entities. >>>> ++ // Setting the following properties ensures this >>>> goal >>>> ++ >>>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, >>>> ++ Boolean.FALSE); >>>> ++ >>>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, >>>> ++ Boolean.FALSE); >>>> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD, >>>> ++ Boolean.FALSE); >>>> ++ f.setXMLResolver(new SecureXMLResolver()); >>>> ++ } >>>> ++ >>>> ++ >>>> + >>>> + >>>> + private static Log log = LogFactory.getLog(StAXUtils.class); >>>> >>>> Added: >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>>> >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto >>>> >>>> >>>> ============================================================================== >>>> >>>> Binary file - no diff available. >>>> >>>> Propchange: >>>> >>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> svn:mime-type = application/java-archive >>>> >>>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> URL: >>>> >>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto >>>> >>>> >>>> ============================================================================== >>>> >>>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> (added) >>>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> Thu Jun 10 08:45:57 2010 >>>> @@ -0,0 +1,30 @@ >>>> +Private Build of Axiom 1.2.5 for Geronimo. >>>> + >>>> +How to build Axiom 1.2.5 >>>> +--------------------------------- >>>> + Checkout the Axiom 1.2.5 tag >>>> + svn co >>>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5 >>>> + >>>> + >>>> +Apply the patch >>>> +----------------- >>>> + cd 1_2_5 >>>> + patch -p0 -i axiom_api.patch >>>> + >>>> +Build Axiom 1.2.5 >>>> +--------------- >>>> + cd 1_2_5 >>>> + mvn install >>>> + >>>> +Notes: >>>> + - Use Sun 1.5.x and Maven 2.0.9 build. >>>> + >>>> + >>>> +Patch Information >>>> +----------------- >>>> + axiom_api.patch - contains fixes for AXIS2-4450 >>>> + >>>> +Copy patched jar files to appropriate locations >>>> +----------------------------------------------- >>>> + cd 1_2_5 >>>> + cp >>>> >>>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar >>>> >>>> \ No newline at end of file >>>> >>>> Propchange: >>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> svn:eol-style = native >>>> >>>> Propchange: >>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> svn:keywords = Date Revision >>>> >>>> Propchange: >>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> svn:mime-type = text/plain >>>> >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >> >> > >
Mime	Unnamed multipart/alternative (inline, None, 0 bytes) Unnamed text/plain (inline, None, 29085 bytes) Unnamed text/html (inline, Quoted Printable, 36046 bytes)
	View raw message