geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ashish Jain <ashja...@gmail.com>
Subject Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache: axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/ ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Date Thu, 10 Jun 2010 14:31:22 GMT
Sure rick I will modify the timestamp for the jars to new values.

On Thu, Jun 10, 2010 at 7:39 PM, Rick McGuire <rickmcg@gmail.com> wrote:

> On 6/10/2010 9:53 AM, Donald Woods wrote:
>
>> But we're going to instruct existing 2.1.x users to copy it over the
>> existing jars in the server repository, right?  Or are we going to
>> instruct them to create an artifact-alias entry to map all usage to the
>> new one (which may not work in all cases....)?
>>
>>
>
> Using artifact-alias has been sort of an assumption in all of the
> discussions I've seen.  Giving two versions of a jar the same name seems
> like a recipe for disaster.
>
> Rick
>
>
>
>> -Donald
>>
>>
>> On 6/10/10 9:10 AM, Rick McGuire wrote:
>>
>>
>>> Ashish,
>>>
>>> I think there are a couple of changes that need to be made for this
>>> update:
>>>
>>> 1)  Since we're likely going to be making the Axis2 jar available for
>>> download before we have the release complete, the timestamp in the jar
>>> name should be updated so the different versions can be easily
>>> distinguished.
>>> 2)  The checked in axiom jar should also carry a timestamp modifier
>>> (e.g., axiom-api-1.2.5-20100610).
>>>
>>> Rick
>>>
>>> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
>>>
>>>
>>>> Author: ashishjain
>>>> Date: Thu Jun 10 08:45:57 2010
>>>> New Revision: 953250
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
>>>> Log:
>>>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>>>>
>>>> Added:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>>      geronimo/server/branches/2.1/repository/org/apache/ws/
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>>      geronimo/server/branches/2.1/repository/org/apache/ws/commons/
>>>>
>>>>  geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
>>>>
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
>>>>
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>> (with props)
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> (with props)
>>>> Modified:
>>>>      geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>>
>>>>
>>>> Modified:
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>> (original)
>>>> +++
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
>>>>   How to build Axis2 1.3-G20090406:
>>>>   ---------------------------------
>>>>    Checkout the Axis2 1.3 tag
>>>> -   svn co
>>>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
>>>> axis2-1.3
>>>> +   svn co
>>>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>>>>
>>>>
>>>>   Apply the patches
>>>> @@ -14,6 +14,7 @@ Apply the patches
>>>>    patch -p0 -i metadata.patch
>>>>    patch -p0 -i jaxws.patch
>>>>    patch -p0 -i kernel.patch
>>>> + patch -p0 -i builder.patch
>>>>
>>>>   Build Axis2 1.3
>>>>   ---------------
>>>> @@ -32,6 +33,7 @@ Patch Information
>>>>    metadata.patch - contains fixes for SEI with overloaded methods
>>>>    jaxws.patch    - contains fixes for AXIS2-3343 and RESTful
>>>> invocations
>>>>    kernel.patch   - contains fixes for AXIS2-4279
>>>> + builder.patch  - contains fixes for AXIS2-4450
>>>>
>>>>   Copy patched jar files to appropriate locations
>>>>   -----------------------------------------------
>>>>
>>>> Modified:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>>
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> Binary files - no diff available.
>>>>
>>>> Added:
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> (added)
>>>> +++
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -0,0 +1,132 @@
>>>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>>> +===================================================================
>>>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>>> (revision 952555)
>>>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>>> (working copy)
>>>> +@@ -192,9 +192,9 @@
>>>> +     public static StAXBuilder getPOXBuilder(InputStream inStream,
>>>> String charSetEnc)
>>>> +             throws XMLStreamException {
>>>> +         StAXBuilder builder;
>>>> +-        XMLStreamReader xmlreader =
>>>> +-                StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>>> +-        builder = new StAXOMBuilder(xmlreader);
>>>> ++        XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>>> ++        builder = new StAXOMBuilder(xmlReader);
>>>> ++        ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>>> +         return builder;
>>>> +     }
>>>> +
>>>> +@@ -374,7 +374,7 @@
>>>> +             PushbackInputStream pis =
>>>> getPushbackInputStream(attachments.getSOAPPartInputStream());
>>>> +             String actualCharSetEncoding = getCharSetEncoding(pis,
>>>> charSetEncoding);
>>>> +
>>>> +-            streamReader = StAXUtils.createXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> ++            streamReader =
>>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>>> +         } catch (IOException e) {
>>>> +             throw new XMLStreamException(e);
>>>> +         }
>>>> +@@ -414,13 +414,16 @@
>>>> +                 XOPAwareStAXOMBuilder stAXOMBuilder = new
>>>> XOPAwareStAXOMBuilder(
>>>> +                         streamReader, attachments);
>>>> +                 builder = stAXOMBuilder;
>>>> ++                ((XOPAwareStAXOMBuilder)
>>>> builder).setAllowDTDandPI(false);
>>>> +
>>>> +             } else if (attachments.getAttachmentSpecType().equals(
>>>> +                     MTOMConstants.SWA_TYPE)) {
>>>> +                 builder = new StAXOMBuilder(streamReader);
>>>> ++                ((XOPAwareStAXOMBuilder)
>>>> builder).setAllowDTDandPI(false);
>>>> +             } else if (attachments.getAttachmentSpecType().equals(
>>>> +                     MTOMConstants.SWA_TYPE_12)) {
>>>> +                 builder = new StAXOMBuilder(streamReader);
>>>> ++                ((XOPAwareStAXOMBuilder)
>>>> builder).setAllowDTDandPI(false);
>>>> +             }
>>>> +         }
>>>> +
>>>> +@@ -531,8 +534,8 @@
>>>> +      * @deprecated If some one really need this method, please shout.
>>>> +      */
>>>> +     public static StAXBuilder getBuilder(Reader in) throws
>>>> XMLStreamException {
>>>> +-        XMLStreamReader xmlreader =
>>>> StAXUtils.createXMLStreamReader(in);
>>>> +-        StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
>>>> null);
>>>> ++        XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(in);
>>>> ++        StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
>>>> null);
>>>> +         return builder;
>>>> +     }
>>>> +
>>>> +@@ -544,8 +547,10 @@
>>>> +      * @throws XMLStreamException
>>>> +      */
>>>> +     public static StAXBuilder getBuilder(InputStream inStream)
>>>> throws XMLStreamException {
>>>> +-        XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream);
>>>> +-        return new StAXOMBuilder(xmlReader);
>>>> ++         XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>>> ++         StAXBuilder builder = new StAXOMBuilder(xmlReader);
>>>> ++         ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>>> ++         return builder;
>>>> +     }
>>>> +
>>>> +     /**
>>>> +@@ -558,7 +563,7 @@
>>>> +      */
>>>> +     public static StAXBuilder getBuilder(InputStream inStream,
>>>> String charSetEnc)
>>>> +             throws XMLStreamException {
>>>> +-        XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>>> ++        XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>>> +         try {
>>>> +             StAXBuilder builder =  new
>>>> StAXSOAPModelBuilder(xmlReader);
>>>> +             return builder;
>>>> +@@ -580,7 +585,7 @@
>>>> +      * @throws XMLStreamException
>>>> +      */
>>>> +     public static StAXBuilder getSOAPBuilder(InputStream inStream)
>>>> throws XMLStreamException {
>>>> +-        XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream);
>>>> ++            XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>>> +         try {
>>>> +             StAXBuilder builder =  new
>>>> StAXSOAPModelBuilder(xmlReader);
>>>> +             return builder;
>>>> +@@ -604,7 +609,7 @@
>>>> +      */
>>>> +     public static StAXBuilder getSOAPBuilder(InputStream inStream,
>>>> String charSetEnc)
>>>> +             throws XMLStreamException {
>>>> +-        XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>>> ++        XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>>> +         try {
>>>> +             StAXBuilder builder =  new
>>>> StAXSOAPModelBuilder(xmlReader);
>>>> +             return builder;
>>>> +@@ -621,8 +626,9 @@
>>>> +     public static StAXBuilder getBuilder(SOAPFactory soapFactory,
>>>> InputStream in, String charSetEnc)
>>>> +             throws XMLStreamException {
>>>> +         StAXBuilder builder;
>>>> +-        XMLStreamReader xmlreader =
>>>> StAXUtils.createXMLStreamReader(in, charSetEnc);
>>>> +-        builder = new StAXOMBuilder(soapFactory, xmlreader);
>>>> ++        XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
>>>> ++        builder = new StAXOMBuilder(soapFactory, xmlReader);
>>>> ++                ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>>> +         return builder;
>>>> +     }
>>>> +
>>>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>>> +===================================================================
>>>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>>> (revision 952555)
>>>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>>> (working copy)
>>>> +@@ -51,7 +51,7 @@
>>>> +             String actualCharSetEncoding =
>>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>>> +
>>>> +             // Get the XMLStreamReader for this input stream
>>>> +-            streamReader = StAXUtils.createXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> ++            streamReader= StAXUtils.createSecureXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> +             StAXBuilder builder = new
>>>> MTOMStAXSOAPModelBuilder(streamReader,
>>>> +                     attachments);
>>>> +             SOAPEnvelope envelope = (SOAPEnvelope)
>>>> builder.getDocumentElement();
>>>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>>> +===================================================================
>>>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>>> (revision 952555)
>>>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>>> (working copy)
>>>> +@@ -48,7 +48,7 @@
>>>> +             String actualCharSetEncoding =
>>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>>> +
>>>> +             // Get the XMLStreamReader for this input stream
>>>> +-            streamReader = StAXUtils.createXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> ++            streamReader =
>>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>>> +
>>>> +             StAXBuilder builder = new
>>>> StAXSOAPModelBuilder(streamReader);
>>>> +             SOAPEnvelope envelope = (SOAPEnvelope)
>>>> builder.getDocumentElement();
>>>>
>>>> Added:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> (added)
>>>> +++
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -0,0 +1,267 @@
>>>> +Index:
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>>
>>>> +===================================================================
>>>> +---
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>> (revision 949978)
>>>> ++++
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>> (working copy)
>>>> +@@ -52,6 +52,7 @@
>>>> +     private static final Log log =
>>>> LogFactory.getLog(StAXOMBuilder.class);
>>>> +     private boolean doTrace = log.isDebugEnabled();
>>>> +     private static int nsCount = 0;
>>>> ++    boolean allowDTDandPI = true;
>>>> +
>>>> +     /**
>>>> +      * Constructor StAXOMBuilder.
>>>> +@@ -309,6 +310,9 @@
>>>> +      * @throws OMException
>>>> +      */
>>>> +     protected OMNode createDTD() throws OMException {
>>>> ++         if (!allowDTDandPI) {
>>>> ++             throw new OMException("Inbound message MUST NOT contain
>>>> a Document Type Declaration(DTD)");
>>>> ++             }
>>>> +         if (!parser.hasText())
>>>> +             return null;
>>>> +         lastNode = omfactory.createOMDocType(document,
>>>> parser.getText());
>>>> +@@ -322,6 +326,9 @@
>>>> +      * @throws OMException
>>>> +      */
>>>> +     protected OMNode createPI() throws OMException {
>>>> ++        if (!allowDTDandPI) {
>>>> ++            throw new OMException("Inbound message MUST NOT contain
>>>> Processing Instructions(PI)");
>>>> ++            }
>>>> +         OMNode node;
>>>> +         String target = parser.getPITarget();
>>>> +         String data = parser.getPIData();
>>>> +@@ -337,6 +344,20 @@
>>>> +         return node;
>>>> +     }
>>>> +
>>>> ++
>>>> ++    /**
>>>> ++    * @return true if Document Type Definitions and Processing
>>>> Instructions are allowed
>>>> ++    */
>>>> ++    public boolean isAllowDTDandPI() {
>>>> ++    return allowDTDandPI;
>>>> ++    }
>>>> ++
>>>> ++    /**
>>>> ++    * @param allowDTDandPI boolean
>>>> ++    */
>>>> ++    public void setAllowDTDandPI(boolean allowDTDandPI) {
>>>> ++    this.allowDTDandPI = allowDTDandPI;
>>>> ++    }
>>>> +     protected void endElement() {
>>>> +         if (lastNode.isComplete()) {
>>>> +             OMNodeEx parent = (OMNodeEx) lastNode.getParent();
>>>> +Index:
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>>
>>>> +===================================================================
>>>> +---
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>> (revision 0)
>>>> ++++
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>> (revision 0)
>>>> +@@ -0,0 +1,47 @@
>>>> ++/*
>>>> ++ * Licensed to the Apache Software Foundation (ASF) under one
>>>> ++ * or more contributor license agreements. See the NOTICE file
>>>> ++ * distributed with this work for additional information
>>>> ++ * regarding copyright ownership. The ASF licenses this file
>>>> ++ * to you under the Apache License, Version 2.0 (the
>>>> ++ * "License"); you may not use this file except in compliance
>>>> ++ * with the License. You may obtain a copy of the License at
>>>> ++ *
>>>> ++ * http://www.apache.org/licenses/LICENSE-2.0
>>>> ++ *
>>>> ++ * Unless required by applicable law or agreed to in writing,
>>>> ++ * software distributed under the License is distributed on an
>>>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>>> ++ * KIND, either express or implied. See the License for the
>>>> ++ * specific language governing permissions and limitations
>>>> ++ * under the License.
>>>> ++ */
>>>> ++package org.apache.axiom.om.util;
>>>> ++
>>>> ++import javax.xml.stream.XMLResolver;
>>>> ++import javax.xml.stream.XMLStreamException;
>>>> ++
>>>> ++import org.apache.commons.logging.Log;
>>>> ++import org.apache.commons.logging.LogFactory;
>>>> ++
>>>> ++/**
>>>> ++ * This XMLResolver is used whenever a secure XMLStreamReader
>>>> ++ * is needed.  Basically it thows an exception if an attempt
>>>> ++ * is made to read an entity.
>>>> ++ */
>>>> ++public final class SecureXMLResolver implements XMLResolver {
>>>> ++
>>>> ++    private static Log log =
>>>> LogFactory.getLog(SecureXMLResolver.class);
>>>> ++    public Object resolveEntity(String arg0, String arg1, String arg2,
>>>> ++            String arg3) throws XMLStreamException {
>>>> ++        // Note Scheu:
>>>> ++        // Do not expose the name of the entity that was attempted
>>>> to be
>>>> ++        // read as this will reveal secure information to the client.
>>>> ++        if (log.isDebugEnabled()) {
>>>> ++            log.debug("resolveEntity is disabled because this is a
>>>> secure XMLStreamReader(" +
>>>> ++                    arg0 + ") (" + arg1 + ") (" + arg2   + ") (" +
>>>> arg3 + ")");
>>>> ++        }
>>>> ++        throw new XMLStreamException("Reading external entities is
>>>> disabled");
>>>> ++    }
>>>> ++
>>>> ++}
>>>> +\ No newline at end of file
>>>> +
>>>> +Property changes on:
>>>>
>>>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
>>>>
>>>> +___________________________________________________________________
>>>> +Name: svn:mime-type
>>>> +   + text/plain
>>>> +Name: svn:keywords
>>>> +   + Date Revision
>>>> +Name: svn:eol-style
>>>> +   + native
>>>> +
>>>> +Index:
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>>> +===================================================================
>>>> +---
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>>> (revision 949978)
>>>> ++++
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>>> (working copy)
>>>> +@@ -113,6 +113,39 @@
>>>> +             }
>>>> +     });
>>>> +
>>>> ++    private static final Pool secureXmlInputFactoryPool =
>>>> ++        new Pool(new ObjectCreator[] { new ObjectCreator() {
>>>> ++        public Object newObject() {
>>>> ++        return AccessController.doPrivileged(new PrivilegedAction() {
>>>> ++        public Object run() {
>>>> ++         // return
>>>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
>>>> StAXUtils.class.getClassLoader());
>>>> ++         // TODO: Refactor this code when the FactoryFinder.class in
>>>> XLXP fixed and used instead of the Axis2-bundle version
>>>> ++        // Try to simulate the above to create XMLInputFactory using
>>>> the specific classloader
>>>> ++        // This it not quite the same since it will modify the
>>>> classloader for all classes
>>>> ++        Thread currentThread = Thread.currentThread();
>>>> ++        ClassLoader savedClassLoader =
>>>> currentThread.getContextClassLoader();
>>>> ++        XMLInputFactory factory = null;
>>>> ++        try {
>>>> ++
>>>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
>>>> ++            factory = XMLInputFactory.newInstance();
>>>> ++
>>>> ++        // The following setting disabled external entities...which
>>>> is a requirement
>>>> ++        // for network xml reading.
>>>> ++        setSecureProperties(factory);
>>>> ++        } finally {
>>>> ++         currentThread.setContextClassLoader(savedClassLoader);
>>>> ++        }
>>>> ++        return factory;
>>>> ++        }
>>>> ++        });
>>>> ++        }
>>>> ++        }, new ObjectCreator() {
>>>> ++         public Object newObject() {
>>>> ++        return XMLInputFactory.newInstance();
>>>> ++        }
>>>> ++        } });
>>>> ++
>>>> ++
>>>> +     private static final Pool xmlOutputFactoryPool = new Pool(new
>>>> ObjectCreator[] {
>>>> +             new ObjectCreator() {
>>>> +                 public Object newObject() {
>>>> +@@ -144,6 +177,106 @@
>>>> +                 }
>>>> +             }
>>>> +     });
>>>> ++
>>>> ++     /**
>>>> ++    * Gets an XMLInputFactory instance from pool.
>>>> ++    *
>>>> ++    * @return an XMLInputFactory instance.
>>>> ++    */
>>>> ++    private static XMLInputFactory getSecureXMLInputFactory() {
>>>> ++    return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
>>>> ++    }
>>>> ++
>>>> ++    /**
>>>> ++    * Returns an XMLInputFactory instance for reuse.
>>>> ++    *
>>>> ++    * @param factory An XMLInputFactory instance that is available
>>>> for reuse
>>>> ++    */
>>>> ++    private static void releaseSecureXMLInputFactory(XMLInputFactory
>>>> factory) {
>>>> ++     secureXmlInputFactoryPool.releaseInstance(factory);
>>>> ++    }
>>>> ++
>>>> ++    /**
>>>> ++    * Create an XMLStreamReader that will be used to read a stream for
>>>> ++    * an incoming message.  We need to use more restrictive "secure"
>>>> properties
>>>> ++    * to ensure against attacks.
>>>> ++    * @param in
>>>> ++    * @param encoding
>>>> ++    * @return
>>>> ++    * @throws XMLStreamException
>>>> ++    */
>>>> ++    public static XMLStreamReader
>>>> createSecureXMLStreamReader(InputStream in, String encoding)
>>>> ++    throws XMLStreamException {
>>>> ++    XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>>> ++    try {
>>>> ++    XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
>>>> encoding);
>>>> ++    if (isDebugEnabled) {
>>>> ++    log.debug("XMLStreamReader is " + reader.getClass().getName());
>>>> ++    }
>>>> ++    return reader;
>>>> ++    } finally {
>>>> ++     releaseSecureXMLInputFactory(inputFactory);
>>>> ++            }
>>>> ++     }
>>>> ++
>>>> ++        /**
>>>> ++         * Create an XMLStreamReader that will be used to read a
>>>> stream for
>>>> ++         * an incoming message.  We need to use more restrictive
>>>> "secure" properties
>>>> ++         * to ensure against attacks.
>>>> ++         * @param in
>>>> ++         * @return
>>>> ++         * @throws XMLStreamException
>>>> ++         */
>>>> ++        public static XMLStreamReader
>>>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
>>>> ++            XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>>> ++            try {
>>>> ++                XMLStreamReader reader =
>>>> inputFactory.createXMLStreamReader(in);
>>>> ++                if (isDebugEnabled) {
>>>> ++                    log.debug("XMLStreamReader is " +
>>>> reader.getClass().getName());
>>>> ++                }
>>>> ++                return reader;
>>>> ++            } finally {
>>>> ++                releaseSecureXMLInputFactory(inputFactory);
>>>> ++            }
>>>> ++        }
>>>> ++
>>>> ++        /**
>>>> ++         * Create an XMLStreamReader that will be used to read a
>>>> stream for
>>>> ++         * an incoming message.  We need to use more restrictive
>>>> "secure" properties
>>>> ++         * to ensure against attacks.
>>>> ++         *
>>>> ++         * @param in
>>>> ++         * @return
>>>> ++         * @throws XMLStreamException
>>>> ++         */
>>>> ++        public static XMLStreamReader
>>>> createSecureXMLStreamReader(Reader in) throws XMLStreamException {
>>>> ++            XMLInputFactory inputFactory = getXMLInputFactory();
>>>> ++            try {
>>>> ++                XMLStreamReader reader =
>>>> inputFactory.createXMLStreamReader(in);
>>>> ++                if (isDebugEnabled) {
>>>> ++                    log.debug("XMLStreamReader is " +
>>>> reader.getClass().getName());
>>>> ++                }
>>>> ++                return reader;
>>>> ++            } finally {
>>>> ++                releaseSecureXMLInputFactory(inputFactory);
>>>> ++            }
>>>> ++        }
>>>> ++
>>>> ++        private static void setSecureProperties(XMLInputFactory f) {
>>>> ++            // The goal is to prevent tampering of the message
>>>> ++                  // by external entities or denial of service
>>>> ++                  // replacing entities.
>>>> ++                  // Setting the following properties ensures this
>>>> goal
>>>> ++
>>>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
>>>> ++                          Boolean.FALSE);
>>>> ++
>>>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
>>>> ++                          Boolean.FALSE);
>>>> ++                  f.setProperty(XMLInputFactory.SUPPORT_DTD,
>>>> ++                          Boolean.FALSE);
>>>> ++                  f.setXMLResolver(new SecureXMLResolver());
>>>> ++              }
>>>> ++
>>>> ++
>>>> +
>>>> +
>>>> +     private static Log log = LogFactory.getLog(StAXUtils.class);
>>>>
>>>> Added:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>>
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> Binary file - no diff available.
>>>>
>>>> Propchange:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>>      svn:mime-type = application/java-archive
>>>>
>>>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> (added)
>>>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -0,0 +1,30 @@
>>>> +Private Build of Axiom 1.2.5 for Geronimo.
>>>> +
>>>> +How to build Axiom 1.2.5
>>>> +---------------------------------
>>>> + Checkout the Axiom 1.2.5 tag
>>>> +   svn co
>>>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
>>>> +
>>>> +
>>>> +Apply the patch
>>>> +-----------------
>>>> + cd 1_2_5
>>>> + patch -p0 -i axiom_api.patch
>>>> +
>>>> +Build Axiom 1.2.5
>>>> +---------------
>>>> + cd 1_2_5
>>>> + mvn install
>>>> +
>>>> +Notes:
>>>> +  - Use Sun 1.5.x and Maven 2.0.9 build.
>>>> +
>>>> +
>>>> +Patch Information
>>>> +-----------------
>>>> +  axiom_api.patch  - contains fixes for AXIS2-4450
>>>> +
>>>> +Copy patched jar files to appropriate locations
>>>> +-----------------------------------------------
>>>> +  cd 1_2_5
>>>> +  cp
>>>>
>>>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>>
>>>> \ No newline at end of file
>>>>
>>>> Propchange:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>>      svn:eol-style = native
>>>>
>>>> Propchange:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>>      svn:keywords = Date Revision
>>>>
>>>> Propchange:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>>      svn:mime-type = text/plain
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>

Mime
View raw message