You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by Rick McGuire <ri...@gmail.com> on 2010/06/10 15:10:38 UTC
Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache:
axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/
ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Ashish,
I think there are a couple of changes that need to be made for this update:
1) Since we're likely going to be making the Axis2 jar available for
download before we have the release complete, the timestamp in the jar
name should be updated so the different versions can be easily
distinguished.
2) The checked in axiom jar should also carry a timestamp modifier
(e.g., axiom-api-1.2.5-20100610).
Rick
On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
> Author: ashishjain
> Date: Thu Jun 10 08:45:57 2010
> New Revision: 953250
>
> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
> Log:
> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>
> Added:
> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
> geronimo/server/branches/2.1/repository/org/apache/ws/
> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
> geronimo/server/branches/2.1/repository/org/apache/ws/commons/
> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar (with props)
> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt (with props)
> Modified:
> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>
> Modified: geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
> URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
> ==============================================================================
> --- geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT (original)
> +++ geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT Thu Jun 10 08:45:57 2010
> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
> How to build Axis2 1.3-G20090406:
> ---------------------------------
> Checkout the Axis2 1.3 tag
> - svn co http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/ axis2-1.3
> + svn co http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>
>
> Apply the patches
> @@ -14,6 +14,7 @@ Apply the patches
> patch -p0 -i metadata.patch
> patch -p0 -i jaxws.patch
> patch -p0 -i kernel.patch
> + patch -p0 -i builder.patch
>
> Build Axis2 1.3
> ---------------
> @@ -32,6 +33,7 @@ Patch Information
> metadata.patch - contains fixes for SEI with overloaded methods
> jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations
> kernel.patch - contains fixes for AXIS2-4279
> + builder.patch - contains fixes for AXIS2-4450
>
> Copy patched jar files to appropriate locations
> -----------------------------------------------
>
> Modified: geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
> URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
> ==============================================================================
> Binary files - no diff available.
>
> Added: geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
> URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
> ==============================================================================
> --- geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch (added)
> +++ geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch Thu Jun 10 08:45:57 2010
> @@ -0,0 +1,132 @@
> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
> +===================================================================
> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java (revision 952555)
> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java (working copy)
> +@@ -192,9 +192,9 @@
> + public static StAXBuilder getPOXBuilder(InputStream inStream, String charSetEnc)
> + throws XMLStreamException {
> + StAXBuilder builder;
> +- XMLStreamReader xmlreader =
> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
> +- builder = new StAXOMBuilder(xmlreader);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
> ++ builder = new StAXOMBuilder(xmlReader);
> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
> + return builder;
> + }
> +
> +@@ -374,7 +374,7 @@
> + PushbackInputStream pis = getPushbackInputStream(attachments.getSOAPPartInputStream());
> + String actualCharSetEncoding = getCharSetEncoding(pis, charSetEncoding);
> +
> +- streamReader = StAXUtils.createXMLStreamReader(pis, actualCharSetEncoding);
> ++ streamReader = StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
> + } catch (IOException e) {
> + throw new XMLStreamException(e);
> + }
> +@@ -414,13 +414,16 @@
> + XOPAwareStAXOMBuilder stAXOMBuilder = new XOPAwareStAXOMBuilder(
> + streamReader, attachments);
> + builder = stAXOMBuilder;
> ++ ((XOPAwareStAXOMBuilder) builder).setAllowDTDandPI(false);
> +
> + } else if (attachments.getAttachmentSpecType().equals(
> + MTOMConstants.SWA_TYPE)) {
> + builder = new StAXOMBuilder(streamReader);
> ++ ((XOPAwareStAXOMBuilder) builder).setAllowDTDandPI(false);
> + } else if (attachments.getAttachmentSpecType().equals(
> + MTOMConstants.SWA_TYPE_12)) {
> + builder = new StAXOMBuilder(streamReader);
> ++ ((XOPAwareStAXOMBuilder) builder).setAllowDTDandPI(false);
> + }
> + }
> +
> +@@ -531,8 +534,8 @@
> + * @deprecated If some one really need this method, please shout.
> + */
> + public static StAXBuilder getBuilder(Reader in) throws XMLStreamException {
> +- XMLStreamReader xmlreader = StAXUtils.createXMLStreamReader(in);
> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader, null);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(in);
> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader, null);
> + return builder;
> + }
> +
> +@@ -544,8 +547,10 @@
> + * @throws XMLStreamException
> + */
> + public static StAXBuilder getBuilder(InputStream inStream) throws XMLStreamException {
> +- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream);
> +- return new StAXOMBuilder(xmlReader);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(inStream);
> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
> ++ return builder;
> + }
> +
> + /**
> +@@ -558,7 +563,7 @@
> + */
> + public static StAXBuilder getBuilder(InputStream inStream, String charSetEnc)
> + throws XMLStreamException {
> +- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream, charSetEnc);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
> + try {
> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
> + return builder;
> +@@ -580,7 +585,7 @@
> + * @throws XMLStreamException
> + */
> + public static StAXBuilder getSOAPBuilder(InputStream inStream) throws XMLStreamException {
> +- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(inStream);
> + try {
> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
> + return builder;
> +@@ -604,7 +609,7 @@
> + */
> + public static StAXBuilder getSOAPBuilder(InputStream inStream, String charSetEnc)
> + throws XMLStreamException {
> +- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream, charSetEnc);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
> + try {
> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
> + return builder;
> +@@ -621,8 +626,9 @@
> + public static StAXBuilder getBuilder(SOAPFactory soapFactory, InputStream in, String charSetEnc)
> + throws XMLStreamException {
> + StAXBuilder builder;
> +- XMLStreamReader xmlreader = StAXUtils.createXMLStreamReader(in, charSetEnc);
> +- builder = new StAXOMBuilder(soapFactory, xmlreader);
> ++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
> ++ builder = new StAXOMBuilder(soapFactory, xmlReader);
> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
> + return builder;
> + }
> +
> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
> +===================================================================
> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java (revision 952555)
> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java (working copy)
> +@@ -51,7 +51,7 @@
> + String actualCharSetEncoding = BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
> +
> + // Get the XMLStreamReader for this input stream
> +- streamReader = StAXUtils.createXMLStreamReader(pis, actualCharSetEncoding);
> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
> + StAXBuilder builder = new MTOMStAXSOAPModelBuilder(streamReader,
> + attachments);
> + SOAPEnvelope envelope = (SOAPEnvelope) builder.getDocumentElement();
> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
> +===================================================================
> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java (revision 952555)
> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java (working copy)
> +@@ -48,7 +48,7 @@
> + String actualCharSetEncoding = BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
> +
> + // Get the XMLStreamReader for this input stream
> +- streamReader = StAXUtils.createXMLStreamReader(pis, actualCharSetEncoding);
> ++ streamReader = StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
> +
> + StAXBuilder builder = new StAXSOAPModelBuilder(streamReader);
> + SOAPEnvelope envelope = (SOAPEnvelope) builder.getDocumentElement();
>
> Added: geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
> URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
> ==============================================================================
> --- geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch (added)
> +++ geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch Thu Jun 10 08:45:57 2010
> @@ -0,0 +1,267 @@
> +Index: modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
> +===================================================================
> +--- modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java (revision 949978)
> ++++ modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java (working copy)
> +@@ -52,6 +52,7 @@
> + private static final Log log = LogFactory.getLog(StAXOMBuilder.class);
> + private boolean doTrace = log.isDebugEnabled();
> + private static int nsCount = 0;
> ++ boolean allowDTDandPI = true;
> +
> + /**
> + * Constructor StAXOMBuilder.
> +@@ -309,6 +310,9 @@
> + * @throws OMException
> + */
> + protected OMNode createDTD() throws OMException {
> ++ if (!allowDTDandPI) {
> ++ throw new OMException("Inbound message MUST NOT contain a Document Type Declaration(DTD)");
> ++ }
> + if (!parser.hasText())
> + return null;
> + lastNode = omfactory.createOMDocType(document, parser.getText());
> +@@ -322,6 +326,9 @@
> + * @throws OMException
> + */
> + protected OMNode createPI() throws OMException {
> ++ if (!allowDTDandPI) {
> ++ throw new OMException("Inbound message MUST NOT contain Processing Instructions(PI)");
> ++ }
> + OMNode node;
> + String target = parser.getPITarget();
> + String data = parser.getPIData();
> +@@ -337,6 +344,20 @@
> + return node;
> + }
> +
> ++
> ++ /**
> ++ * @return true if Document Type Definitions and Processing Instructions are allowed
> ++ */
> ++ public boolean isAllowDTDandPI() {
> ++ return allowDTDandPI;
> ++ }
> ++
> ++ /**
> ++ * @param allowDTDandPI boolean
> ++ */
> ++ public void setAllowDTDandPI(boolean allowDTDandPI) {
> ++ this.allowDTDandPI = allowDTDandPI;
> ++ }
> + protected void endElement() {
> + if (lastNode.isComplete()) {
> + OMNodeEx parent = (OMNodeEx) lastNode.getParent();
> +Index: modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
> +===================================================================
> +--- modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java (revision 0)
> ++++ modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java (revision 0)
> +@@ -0,0 +1,47 @@
> ++/*
> ++ * Licensed to the Apache Software Foundation (ASF) under one
> ++ * or more contributor license agreements. See the NOTICE file
> ++ * distributed with this work for additional information
> ++ * regarding copyright ownership. The ASF licenses this file
> ++ * to you under the Apache License, Version 2.0 (the
> ++ * "License"); you may not use this file except in compliance
> ++ * with the License. You may obtain a copy of the License at
> ++ *
> ++ * http://www.apache.org/licenses/LICENSE-2.0
> ++ *
> ++ * Unless required by applicable law or agreed to in writing,
> ++ * software distributed under the License is distributed on an
> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
> ++ * KIND, either express or implied. See the License for the
> ++ * specific language governing permissions and limitations
> ++ * under the License.
> ++ */
> ++package org.apache.axiom.om.util;
> ++
> ++import javax.xml.stream.XMLResolver;
> ++import javax.xml.stream.XMLStreamException;
> ++
> ++import org.apache.commons.logging.Log;
> ++import org.apache.commons.logging.LogFactory;
> ++
> ++/**
> ++ * This XMLResolver is used whenever a secure XMLStreamReader
> ++ * is needed. Basically it thows an exception if an attempt
> ++ * is made to read an entity.
> ++ */
> ++public final class SecureXMLResolver implements XMLResolver {
> ++
> ++ private static Log log = LogFactory.getLog(SecureXMLResolver.class);
> ++ public Object resolveEntity(String arg0, String arg1, String arg2,
> ++ String arg3) throws XMLStreamException {
> ++ // Note Scheu:
> ++ // Do not expose the name of the entity that was attempted to be
> ++ // read as this will reveal secure information to the client.
> ++ if (log.isDebugEnabled()) {
> ++ log.debug("resolveEntity is disabled because this is a secure XMLStreamReader(" +
> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" + arg3 + ")");
> ++ }
> ++ throw new XMLStreamException("Reading external entities is disabled");
> ++ }
> ++
> ++}
> +\ No newline at end of file
> +
> +Property changes on: modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
> +___________________________________________________________________
> +Name: svn:mime-type
> + + text/plain
> +Name: svn:keywords
> + + Date Revision
> +Name: svn:eol-style
> + + native
> +
> +Index: modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
> +===================================================================
> +--- modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java (revision 949978)
> ++++ modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java (working copy)
> +@@ -113,6 +113,39 @@
> + }
> + });
> +
> ++ private static final Pool secureXmlInputFactoryPool =
> ++ new Pool(new ObjectCreator[] { new ObjectCreator() {
> ++ public Object newObject() {
> ++ return AccessController.doPrivileged(new PrivilegedAction() {
> ++ public Object run() {
> ++ // return XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory", StAXUtils.class.getClassLoader());
> ++ // TODO: Refactor this code when the FactoryFinder.class in XLXP fixed and used instead of the Axis2-bundle version
> ++ // Try to simulate the above to create XMLInputFactory using the specific classloader
> ++ // This it not quite the same since it will modify the classloader for all classes
> ++ Thread currentThread = Thread.currentThread();
> ++ ClassLoader savedClassLoader = currentThread.getContextClassLoader();
> ++ XMLInputFactory factory = null;
> ++ try {
> ++ currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
> ++ factory = XMLInputFactory.newInstance();
> ++
> ++ // The following setting disabled external entities...which is a requirement
> ++ // for network xml reading.
> ++ setSecureProperties(factory);
> ++ } finally {
> ++ currentThread.setContextClassLoader(savedClassLoader);
> ++ }
> ++ return factory;
> ++ }
> ++ });
> ++ }
> ++ }, new ObjectCreator() {
> ++ public Object newObject() {
> ++ return XMLInputFactory.newInstance();
> ++ }
> ++ } });
> ++
> ++
> + private static final Pool xmlOutputFactoryPool = new Pool(new ObjectCreator[] {
> + new ObjectCreator() {
> + public Object newObject() {
> +@@ -144,6 +177,106 @@
> + }
> + }
> + });
> ++
> ++ /**
> ++ * Gets an XMLInputFactory instance from pool.
> ++ *
> ++ * @return an XMLInputFactory instance.
> ++ */
> ++ private static XMLInputFactory getSecureXMLInputFactory() {
> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
> ++ }
> ++
> ++ /**
> ++ * Returns an XMLInputFactory instance for reuse.
> ++ *
> ++ * @param factory An XMLInputFactory instance that is available for reuse
> ++ */
> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory factory) {
> ++ secureXmlInputFactoryPool.releaseInstance(factory);
> ++ }
> ++
> ++ /**
> ++ * Create an XMLStreamReader that will be used to read a stream for
> ++ * an incoming message. We need to use more restrictive "secure" properties
> ++ * to ensure against attacks.
> ++ * @param in
> ++ * @param encoding
> ++ * @return
> ++ * @throws XMLStreamException
> ++ */
> ++ public static XMLStreamReader createSecureXMLStreamReader(InputStream in, String encoding)
> ++ throws XMLStreamException {
> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
> ++ try {
> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in, encoding);
> ++ if (isDebugEnabled) {
> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
> ++ }
> ++ return reader;
> ++ } finally {
> ++ releaseSecureXMLInputFactory(inputFactory);
> ++ }
> ++ }
> ++
> ++ /**
> ++ * Create an XMLStreamReader that will be used to read a stream for
> ++ * an incoming message. We need to use more restrictive "secure" properties
> ++ * to ensure against attacks.
> ++ * @param in
> ++ * @return
> ++ * @throws XMLStreamException
> ++ */
> ++ public static XMLStreamReader createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
> ++ try {
> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in);
> ++ if (isDebugEnabled) {
> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
> ++ }
> ++ return reader;
> ++ } finally {
> ++ releaseSecureXMLInputFactory(inputFactory);
> ++ }
> ++ }
> ++
> ++ /**
> ++ * Create an XMLStreamReader that will be used to read a stream for
> ++ * an incoming message. We need to use more restrictive "secure" properties
> ++ * to ensure against attacks.
> ++ *
> ++ * @param in
> ++ * @return
> ++ * @throws XMLStreamException
> ++ */
> ++ public static XMLStreamReader createSecureXMLStreamReader(Reader in) throws XMLStreamException {
> ++ XMLInputFactory inputFactory = getXMLInputFactory();
> ++ try {
> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in);
> ++ if (isDebugEnabled) {
> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
> ++ }
> ++ return reader;
> ++ } finally {
> ++ releaseSecureXMLInputFactory(inputFactory);
> ++ }
> ++ }
> ++
> ++ private static void setSecureProperties(XMLInputFactory f) {
> ++ // The goal is to prevent tampering of the message
> ++ // by external entities or denial of service
> ++ // replacing entities.
> ++ // Setting the following properties ensures this goal
> ++ f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
> ++ Boolean.FALSE);
> ++ f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
> ++ Boolean.FALSE);
> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
> ++ Boolean.FALSE);
> ++ f.setXMLResolver(new SecureXMLResolver());
> ++ }
> ++
> ++
> +
> +
> + private static Log log = LogFactory.getLog(StAXUtils.class);
>
> Added: geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
> URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
> ==============================================================================
> Binary file - no diff available.
>
> Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
> ------------------------------------------------------------------------------
> svn:mime-type = application/java-archive
>
> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
> URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
> ==============================================================================
> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt (added)
> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt Thu Jun 10 08:45:57 2010
> @@ -0,0 +1,30 @@
> +Private Build of Axiom 1.2.5 for Geronimo.
> +
> +How to build Axiom 1.2.5
> +---------------------------------
> + Checkout the Axiom 1.2.5 tag
> + svn co http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
> +
> +
> +Apply the patch
> +-----------------
> + cd 1_2_5
> + patch -p0 -i axiom_api.patch
> +
> +Build Axiom 1.2.5
> +---------------
> + cd 1_2_5
> + mvn install
> +
> +Notes:
> + - Use Sun 1.5.x and Maven 2.0.9 build.
> +
> +
> +Patch Information
> +-----------------
> + axiom_api.patch - contains fixes for AXIS2-4450
> +
> +Copy patched jar files to appropriate locations
> +-----------------------------------------------
> + cd 1_2_5
> + cp modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
> \ No newline at end of file
>
> Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
> ------------------------------------------------------------------------------
> svn:keywords = Date Revision
>
> Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
> ------------------------------------------------------------------------------
> svn:mime-type = text/plain
>
>
>
>
Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache:
axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/
ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Posted by Ashish Jain <as...@gmail.com>.
Sure rick I will modify the timestamp for the jars to new values.
On Thu, Jun 10, 2010 at 7:39 PM, Rick McGuire <ri...@gmail.com> wrote:
> On 6/10/2010 9:53 AM, Donald Woods wrote:
>
>> But we're going to instruct existing 2.1.x users to copy it over the
>> existing jars in the server repository, right? Or are we going to
>> instruct them to create an artifact-alias entry to map all usage to the
>> new one (which may not work in all cases....)?
>>
>>
>
> Using artifact-alias has been sort of an assumption in all of the
> discussions I've seen. Giving two versions of a jar the same name seems
> like a recipe for disaster.
>
> Rick
>
>
>
>> -Donald
>>
>>
>> On 6/10/10 9:10 AM, Rick McGuire wrote:
>>
>>
>>> Ashish,
>>>
>>> I think there are a couple of changes that need to be made for this
>>> update:
>>>
>>> 1) Since we're likely going to be making the Axis2 jar available for
>>> download before we have the release complete, the timestamp in the jar
>>> name should be updated so the different versions can be easily
>>> distinguished.
>>> 2) The checked in axiom jar should also carry a timestamp modifier
>>> (e.g., axiom-api-1.2.5-20100610).
>>>
>>> Rick
>>>
>>> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
>>>
>>>
>>>> Author: ashishjain
>>>> Date: Thu Jun 10 08:45:57 2010
>>>> New Revision: 953250
>>>>
>>>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
>>>> Log:
>>>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>>>>
>>>> Added:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
>>>>
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
>>>>
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>> (with props)
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> (with props)
>>>> Modified:
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>>
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>>
>>>>
>>>> Modified:
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>> (original)
>>>> +++
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
>>>> How to build Axis2 1.3-G20090406:
>>>> ---------------------------------
>>>> Checkout the Axis2 1.3 tag
>>>> - svn co
>>>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
>>>> axis2-1.3
>>>> + svn co
>>>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>>>>
>>>>
>>>> Apply the patches
>>>> @@ -14,6 +14,7 @@ Apply the patches
>>>> patch -p0 -i metadata.patch
>>>> patch -p0 -i jaxws.patch
>>>> patch -p0 -i kernel.patch
>>>> + patch -p0 -i builder.patch
>>>>
>>>> Build Axis2 1.3
>>>> ---------------
>>>> @@ -32,6 +33,7 @@ Patch Information
>>>> metadata.patch - contains fixes for SEI with overloaded methods
>>>> jaxws.patch - contains fixes for AXIS2-3343 and RESTful
>>>> invocations
>>>> kernel.patch - contains fixes for AXIS2-4279
>>>> + builder.patch - contains fixes for AXIS2-4450
>>>>
>>>> Copy patched jar files to appropriate locations
>>>> -----------------------------------------------
>>>>
>>>> Modified:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>>
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> Binary files - no diff available.
>>>>
>>>> Added:
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> (added)
>>>> +++
>>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -0,0 +1,132 @@
>>>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>>> +===================================================================
>>>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>>> (revision 952555)
>>>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>>> (working copy)
>>>> +@@ -192,9 +192,9 @@
>>>> + public static StAXBuilder getPOXBuilder(InputStream inStream,
>>>> String charSetEnc)
>>>> + throws XMLStreamException {
>>>> + StAXBuilder builder;
>>>> +- XMLStreamReader xmlreader =
>>>> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>>> +- builder = new StAXOMBuilder(xmlreader);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>>> ++ builder = new StAXOMBuilder(xmlReader);
>>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>>> + return builder;
>>>> + }
>>>> +
>>>> +@@ -374,7 +374,7 @@
>>>> + PushbackInputStream pis =
>>>> getPushbackInputStream(attachments.getSOAPPartInputStream());
>>>> + String actualCharSetEncoding = getCharSetEncoding(pis,
>>>> charSetEncoding);
>>>> +
>>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> ++ streamReader =
>>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>>> + } catch (IOException e) {
>>>> + throw new XMLStreamException(e);
>>>> + }
>>>> +@@ -414,13 +414,16 @@
>>>> + XOPAwareStAXOMBuilder stAXOMBuilder = new
>>>> XOPAwareStAXOMBuilder(
>>>> + streamReader, attachments);
>>>> + builder = stAXOMBuilder;
>>>> ++ ((XOPAwareStAXOMBuilder)
>>>> builder).setAllowDTDandPI(false);
>>>> +
>>>> + } else if (attachments.getAttachmentSpecType().equals(
>>>> + MTOMConstants.SWA_TYPE)) {
>>>> + builder = new StAXOMBuilder(streamReader);
>>>> ++ ((XOPAwareStAXOMBuilder)
>>>> builder).setAllowDTDandPI(false);
>>>> + } else if (attachments.getAttachmentSpecType().equals(
>>>> + MTOMConstants.SWA_TYPE_12)) {
>>>> + builder = new StAXOMBuilder(streamReader);
>>>> ++ ((XOPAwareStAXOMBuilder)
>>>> builder).setAllowDTDandPI(false);
>>>> + }
>>>> + }
>>>> +
>>>> +@@ -531,8 +534,8 @@
>>>> + * @deprecated If some one really need this method, please shout.
>>>> + */
>>>> + public static StAXBuilder getBuilder(Reader in) throws
>>>> XMLStreamException {
>>>> +- XMLStreamReader xmlreader =
>>>> StAXUtils.createXMLStreamReader(in);
>>>> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
>>>> null);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(in);
>>>> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
>>>> null);
>>>> + return builder;
>>>> + }
>>>> +
>>>> +@@ -544,8 +547,10 @@
>>>> + * @throws XMLStreamException
>>>> + */
>>>> + public static StAXBuilder getBuilder(InputStream inStream)
>>>> throws XMLStreamException {
>>>> +- XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream);
>>>> +- return new StAXOMBuilder(xmlReader);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>>> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
>>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>>> ++ return builder;
>>>> + }
>>>> +
>>>> + /**
>>>> +@@ -558,7 +563,7 @@
>>>> + */
>>>> + public static StAXBuilder getBuilder(InputStream inStream,
>>>> String charSetEnc)
>>>> + throws XMLStreamException {
>>>> +- XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>>> + try {
>>>> + StAXBuilder builder = new
>>>> StAXSOAPModelBuilder(xmlReader);
>>>> + return builder;
>>>> +@@ -580,7 +585,7 @@
>>>> + * @throws XMLStreamException
>>>> + */
>>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream)
>>>> throws XMLStreamException {
>>>> +- XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>>> + try {
>>>> + StAXBuilder builder = new
>>>> StAXSOAPModelBuilder(xmlReader);
>>>> + return builder;
>>>> +@@ -604,7 +609,7 @@
>>>> + */
>>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream,
>>>> String charSetEnc)
>>>> + throws XMLStreamException {
>>>> +- XMLStreamReader xmlReader =
>>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>>> + try {
>>>> + StAXBuilder builder = new
>>>> StAXSOAPModelBuilder(xmlReader);
>>>> + return builder;
>>>> +@@ -621,8 +626,9 @@
>>>> + public static StAXBuilder getBuilder(SOAPFactory soapFactory,
>>>> InputStream in, String charSetEnc)
>>>> + throws XMLStreamException {
>>>> + StAXBuilder builder;
>>>> +- XMLStreamReader xmlreader =
>>>> StAXUtils.createXMLStreamReader(in, charSetEnc);
>>>> +- builder = new StAXOMBuilder(soapFactory, xmlreader);
>>>> ++ XMLStreamReader xmlReader =
>>>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
>>>> ++ builder = new StAXOMBuilder(soapFactory, xmlReader);
>>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>>> + return builder;
>>>> + }
>>>> +
>>>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>>> +===================================================================
>>>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>>> (revision 952555)
>>>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>>> (working copy)
>>>> +@@ -51,7 +51,7 @@
>>>> + String actualCharSetEncoding =
>>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>>> +
>>>> + // Get the XMLStreamReader for this input stream
>>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> + StAXBuilder builder = new
>>>> MTOMStAXSOAPModelBuilder(streamReader,
>>>> + attachments);
>>>> + SOAPEnvelope envelope = (SOAPEnvelope)
>>>> builder.getDocumentElement();
>>>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>>> +===================================================================
>>>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>>> (revision 952555)
>>>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>>> (working copy)
>>>> +@@ -48,7 +48,7 @@
>>>> + String actualCharSetEncoding =
>>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>>> +
>>>> + // Get the XMLStreamReader for this input stream
>>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>>> actualCharSetEncoding);
>>>> ++ streamReader =
>>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>>> +
>>>> + StAXBuilder builder = new
>>>> StAXSOAPModelBuilder(streamReader);
>>>> + SOAPEnvelope envelope = (SOAPEnvelope)
>>>> builder.getDocumentElement();
>>>>
>>>> Added:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> ---
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> (added)
>>>> +++
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -0,0 +1,267 @@
>>>> +Index:
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>>
>>>> +===================================================================
>>>> +---
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>> (revision 949978)
>>>> ++++
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>> (working copy)
>>>> +@@ -52,6 +52,7 @@
>>>> + private static final Log log =
>>>> LogFactory.getLog(StAXOMBuilder.class);
>>>> + private boolean doTrace = log.isDebugEnabled();
>>>> + private static int nsCount = 0;
>>>> ++ boolean allowDTDandPI = true;
>>>> +
>>>> + /**
>>>> + * Constructor StAXOMBuilder.
>>>> +@@ -309,6 +310,9 @@
>>>> + * @throws OMException
>>>> + */
>>>> + protected OMNode createDTD() throws OMException {
>>>> ++ if (!allowDTDandPI) {
>>>> ++ throw new OMException("Inbound message MUST NOT contain
>>>> a Document Type Declaration(DTD)");
>>>> ++ }
>>>> + if (!parser.hasText())
>>>> + return null;
>>>> + lastNode = omfactory.createOMDocType(document,
>>>> parser.getText());
>>>> +@@ -322,6 +326,9 @@
>>>> + * @throws OMException
>>>> + */
>>>> + protected OMNode createPI() throws OMException {
>>>> ++ if (!allowDTDandPI) {
>>>> ++ throw new OMException("Inbound message MUST NOT contain
>>>> Processing Instructions(PI)");
>>>> ++ }
>>>> + OMNode node;
>>>> + String target = parser.getPITarget();
>>>> + String data = parser.getPIData();
>>>> +@@ -337,6 +344,20 @@
>>>> + return node;
>>>> + }
>>>> +
>>>> ++
>>>> ++ /**
>>>> ++ * @return true if Document Type Definitions and Processing
>>>> Instructions are allowed
>>>> ++ */
>>>> ++ public boolean isAllowDTDandPI() {
>>>> ++ return allowDTDandPI;
>>>> ++ }
>>>> ++
>>>> ++ /**
>>>> ++ * @param allowDTDandPI boolean
>>>> ++ */
>>>> ++ public void setAllowDTDandPI(boolean allowDTDandPI) {
>>>> ++ this.allowDTDandPI = allowDTDandPI;
>>>> ++ }
>>>> + protected void endElement() {
>>>> + if (lastNode.isComplete()) {
>>>> + OMNodeEx parent = (OMNodeEx) lastNode.getParent();
>>>> +Index:
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>>
>>>> +===================================================================
>>>> +---
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>> (revision 0)
>>>> ++++
>>>>
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>> (revision 0)
>>>> +@@ -0,0 +1,47 @@
>>>> ++/*
>>>> ++ * Licensed to the Apache Software Foundation (ASF) under one
>>>> ++ * or more contributor license agreements. See the NOTICE file
>>>> ++ * distributed with this work for additional information
>>>> ++ * regarding copyright ownership. The ASF licenses this file
>>>> ++ * to you under the Apache License, Version 2.0 (the
>>>> ++ * "License"); you may not use this file except in compliance
>>>> ++ * with the License. You may obtain a copy of the License at
>>>> ++ *
>>>> ++ * http://www.apache.org/licenses/LICENSE-2.0
>>>> ++ *
>>>> ++ * Unless required by applicable law or agreed to in writing,
>>>> ++ * software distributed under the License is distributed on an
>>>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>>> ++ * KIND, either express or implied. See the License for the
>>>> ++ * specific language governing permissions and limitations
>>>> ++ * under the License.
>>>> ++ */
>>>> ++package org.apache.axiom.om.util;
>>>> ++
>>>> ++import javax.xml.stream.XMLResolver;
>>>> ++import javax.xml.stream.XMLStreamException;
>>>> ++
>>>> ++import org.apache.commons.logging.Log;
>>>> ++import org.apache.commons.logging.LogFactory;
>>>> ++
>>>> ++/**
>>>> ++ * This XMLResolver is used whenever a secure XMLStreamReader
>>>> ++ * is needed. Basically it thows an exception if an attempt
>>>> ++ * is made to read an entity.
>>>> ++ */
>>>> ++public final class SecureXMLResolver implements XMLResolver {
>>>> ++
>>>> ++ private static Log log =
>>>> LogFactory.getLog(SecureXMLResolver.class);
>>>> ++ public Object resolveEntity(String arg0, String arg1, String arg2,
>>>> ++ String arg3) throws XMLStreamException {
>>>> ++ // Note Scheu:
>>>> ++ // Do not expose the name of the entity that was attempted
>>>> to be
>>>> ++ // read as this will reveal secure information to the client.
>>>> ++ if (log.isDebugEnabled()) {
>>>> ++ log.debug("resolveEntity is disabled because this is a
>>>> secure XMLStreamReader(" +
>>>> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" +
>>>> arg3 + ")");
>>>> ++ }
>>>> ++ throw new XMLStreamException("Reading external entities is
>>>> disabled");
>>>> ++ }
>>>> ++
>>>> ++}
>>>> +\ No newline at end of file
>>>> +
>>>> +Property changes on:
>>>>
>>>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
>>>>
>>>> +___________________________________________________________________
>>>> +Name: svn:mime-type
>>>> + + text/plain
>>>> +Name: svn:keywords
>>>> + + Date Revision
>>>> +Name: svn:eol-style
>>>> + + native
>>>> +
>>>> +Index:
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>>> +===================================================================
>>>> +---
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>>> (revision 949978)
>>>> ++++
>>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>>> (working copy)
>>>> +@@ -113,6 +113,39 @@
>>>> + }
>>>> + });
>>>> +
>>>> ++ private static final Pool secureXmlInputFactoryPool =
>>>> ++ new Pool(new ObjectCreator[] { new ObjectCreator() {
>>>> ++ public Object newObject() {
>>>> ++ return AccessController.doPrivileged(new PrivilegedAction() {
>>>> ++ public Object run() {
>>>> ++ // return
>>>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
>>>> StAXUtils.class.getClassLoader());
>>>> ++ // TODO: Refactor this code when the FactoryFinder.class in
>>>> XLXP fixed and used instead of the Axis2-bundle version
>>>> ++ // Try to simulate the above to create XMLInputFactory using
>>>> the specific classloader
>>>> ++ // This it not quite the same since it will modify the
>>>> classloader for all classes
>>>> ++ Thread currentThread = Thread.currentThread();
>>>> ++ ClassLoader savedClassLoader =
>>>> currentThread.getContextClassLoader();
>>>> ++ XMLInputFactory factory = null;
>>>> ++ try {
>>>> ++
>>>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
>>>> ++ factory = XMLInputFactory.newInstance();
>>>> ++
>>>> ++ // The following setting disabled external entities...which
>>>> is a requirement
>>>> ++ // for network xml reading.
>>>> ++ setSecureProperties(factory);
>>>> ++ } finally {
>>>> ++ currentThread.setContextClassLoader(savedClassLoader);
>>>> ++ }
>>>> ++ return factory;
>>>> ++ }
>>>> ++ });
>>>> ++ }
>>>> ++ }, new ObjectCreator() {
>>>> ++ public Object newObject() {
>>>> ++ return XMLInputFactory.newInstance();
>>>> ++ }
>>>> ++ } });
>>>> ++
>>>> ++
>>>> + private static final Pool xmlOutputFactoryPool = new Pool(new
>>>> ObjectCreator[] {
>>>> + new ObjectCreator() {
>>>> + public Object newObject() {
>>>> +@@ -144,6 +177,106 @@
>>>> + }
>>>> + }
>>>> + });
>>>> ++
>>>> ++ /**
>>>> ++ * Gets an XMLInputFactory instance from pool.
>>>> ++ *
>>>> ++ * @return an XMLInputFactory instance.
>>>> ++ */
>>>> ++ private static XMLInputFactory getSecureXMLInputFactory() {
>>>> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
>>>> ++ }
>>>> ++
>>>> ++ /**
>>>> ++ * Returns an XMLInputFactory instance for reuse.
>>>> ++ *
>>>> ++ * @param factory An XMLInputFactory instance that is available
>>>> for reuse
>>>> ++ */
>>>> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory
>>>> factory) {
>>>> ++ secureXmlInputFactoryPool.releaseInstance(factory);
>>>> ++ }
>>>> ++
>>>> ++ /**
>>>> ++ * Create an XMLStreamReader that will be used to read a stream for
>>>> ++ * an incoming message. We need to use more restrictive "secure"
>>>> properties
>>>> ++ * to ensure against attacks.
>>>> ++ * @param in
>>>> ++ * @param encoding
>>>> ++ * @return
>>>> ++ * @throws XMLStreamException
>>>> ++ */
>>>> ++ public static XMLStreamReader
>>>> createSecureXMLStreamReader(InputStream in, String encoding)
>>>> ++ throws XMLStreamException {
>>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>>> ++ try {
>>>> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
>>>> encoding);
>>>> ++ if (isDebugEnabled) {
>>>> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
>>>> ++ }
>>>> ++ return reader;
>>>> ++ } finally {
>>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>>> ++ }
>>>> ++ }
>>>> ++
>>>> ++ /**
>>>> ++ * Create an XMLStreamReader that will be used to read a
>>>> stream for
>>>> ++ * an incoming message. We need to use more restrictive
>>>> "secure" properties
>>>> ++ * to ensure against attacks.
>>>> ++ * @param in
>>>> ++ * @return
>>>> ++ * @throws XMLStreamException
>>>> ++ */
>>>> ++ public static XMLStreamReader
>>>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
>>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>>> ++ try {
>>>> ++ XMLStreamReader reader =
>>>> inputFactory.createXMLStreamReader(in);
>>>> ++ if (isDebugEnabled) {
>>>> ++ log.debug("XMLStreamReader is " +
>>>> reader.getClass().getName());
>>>> ++ }
>>>> ++ return reader;
>>>> ++ } finally {
>>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>>> ++ }
>>>> ++ }
>>>> ++
>>>> ++ /**
>>>> ++ * Create an XMLStreamReader that will be used to read a
>>>> stream for
>>>> ++ * an incoming message. We need to use more restrictive
>>>> "secure" properties
>>>> ++ * to ensure against attacks.
>>>> ++ *
>>>> ++ * @param in
>>>> ++ * @return
>>>> ++ * @throws XMLStreamException
>>>> ++ */
>>>> ++ public static XMLStreamReader
>>>> createSecureXMLStreamReader(Reader in) throws XMLStreamException {
>>>> ++ XMLInputFactory inputFactory = getXMLInputFactory();
>>>> ++ try {
>>>> ++ XMLStreamReader reader =
>>>> inputFactory.createXMLStreamReader(in);
>>>> ++ if (isDebugEnabled) {
>>>> ++ log.debug("XMLStreamReader is " +
>>>> reader.getClass().getName());
>>>> ++ }
>>>> ++ return reader;
>>>> ++ } finally {
>>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>>> ++ }
>>>> ++ }
>>>> ++
>>>> ++ private static void setSecureProperties(XMLInputFactory f) {
>>>> ++ // The goal is to prevent tampering of the message
>>>> ++ // by external entities or denial of service
>>>> ++ // replacing entities.
>>>> ++ // Setting the following properties ensures this
>>>> goal
>>>> ++
>>>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
>>>> ++ Boolean.FALSE);
>>>> ++
>>>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
>>>> ++ Boolean.FALSE);
>>>> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
>>>> ++ Boolean.FALSE);
>>>> ++ f.setXMLResolver(new SecureXMLResolver());
>>>> ++ }
>>>> ++
>>>> ++
>>>> +
>>>> +
>>>> + private static Log log = LogFactory.getLog(StAXUtils.class);
>>>>
>>>> Added:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>>
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> Binary file - no diff available.
>>>>
>>>> Propchange:
>>>>
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> svn:mime-type = application/java-archive
>>>>
>>>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> URL:
>>>>
>>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
>>>>
>>>>
>>>> ==============================================================================
>>>>
>>>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> (added)
>>>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>> Thu Jun 10 08:45:57 2010
>>>> @@ -0,0 +1,30 @@
>>>> +Private Build of Axiom 1.2.5 for Geronimo.
>>>> +
>>>> +How to build Axiom 1.2.5
>>>> +---------------------------------
>>>> + Checkout the Axiom 1.2.5 tag
>>>> + svn co
>>>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
>>>> +
>>>> +
>>>> +Apply the patch
>>>> +-----------------
>>>> + cd 1_2_5
>>>> + patch -p0 -i axiom_api.patch
>>>> +
>>>> +Build Axiom 1.2.5
>>>> +---------------
>>>> + cd 1_2_5
>>>> + mvn install
>>>> +
>>>> +Notes:
>>>> + - Use Sun 1.5.x and Maven 2.0.9 build.
>>>> +
>>>> +
>>>> +Patch Information
>>>> +-----------------
>>>> + axiom_api.patch - contains fixes for AXIS2-4450
>>>> +
>>>> +Copy patched jar files to appropriate locations
>>>> +-----------------------------------------------
>>>> + cd 1_2_5
>>>> + cp
>>>>
>>>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>>
>>>> \ No newline at end of file
>>>>
>>>> Propchange:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> svn:eol-style = native
>>>>
>>>> Propchange:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> svn:keywords = Date Revision
>>>>
>>>> Propchange:
>>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> svn:mime-type = text/plain
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
>>
>
>
Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache:
axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/
ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Posted by Rick McGuire <ri...@gmail.com>.
On 6/10/2010 9:53 AM, Donald Woods wrote:
> But we're going to instruct existing 2.1.x users to copy it over the
> existing jars in the server repository, right? Or are we going to
> instruct them to create an artifact-alias entry to map all usage to the
> new one (which may not work in all cases....)?
>
Using artifact-alias has been sort of an assumption in all of the
discussions I've seen. Giving two versions of a jar the same name seems
like a recipe for disaster.
Rick
>
> -Donald
>
>
> On 6/10/10 9:10 AM, Rick McGuire wrote:
>
>> Ashish,
>>
>> I think there are a couple of changes that need to be made for this update:
>>
>> 1) Since we're likely going to be making the Axis2 jar available for
>> download before we have the release complete, the timestamp in the jar
>> name should be updated so the different versions can be easily
>> distinguished.
>> 2) The checked in axiom jar should also carry a timestamp modifier
>> (e.g., axiom-api-1.2.5-20100610).
>>
>> Rick
>>
>> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
>>
>>> Author: ashishjain
>>> Date: Thu Jun 10 08:45:57 2010
>>> New Revision: 953250
>>>
>>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
>>> Log:
>>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>>>
>>> Added:
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> geronimo/server/branches/2.1/repository/org/apache/ws/
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
>>>
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
>>>
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>> (with props)
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> (with props)
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>>
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>
>>>
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> (original)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>> Thu Jun 10 08:45:57 2010
>>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
>>> How to build Axis2 1.3-G20090406:
>>> ---------------------------------
>>> Checkout the Axis2 1.3 tag
>>> - svn co
>>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
>>> axis2-1.3
>>> + svn co
>>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>>>
>>>
>>> Apply the patches
>>> @@ -14,6 +14,7 @@ Apply the patches
>>> patch -p0 -i metadata.patch
>>> patch -p0 -i jaxws.patch
>>> patch -p0 -i kernel.patch
>>> + patch -p0 -i builder.patch
>>>
>>> Build Axis2 1.3
>>> ---------------
>>> @@ -32,6 +33,7 @@ Patch Information
>>> metadata.patch - contains fixes for SEI with overloaded methods
>>> jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations
>>> kernel.patch - contains fixes for AXIS2-4279
>>> + builder.patch - contains fixes for AXIS2-4450
>>>
>>> Copy patched jar files to appropriate locations
>>> -----------------------------------------------
>>>
>>> Modified:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
>>>
>>> ==============================================================================
>>>
>>> Binary files - no diff available.
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> (added)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,132 @@
>>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>>> (working copy)
>>> +@@ -192,9 +192,9 @@
>>> + public static StAXBuilder getPOXBuilder(InputStream inStream,
>>> String charSetEnc)
>>> + throws XMLStreamException {
>>> + StAXBuilder builder;
>>> +- XMLStreamReader xmlreader =
>>> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> +- builder = new StAXOMBuilder(xmlreader);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> ++ builder = new StAXOMBuilder(xmlReader);
>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> + return builder;
>>> + }
>>> +
>>> +@@ -374,7 +374,7 @@
>>> + PushbackInputStream pis =
>>> getPushbackInputStream(attachments.getSOAPPartInputStream());
>>> + String actualCharSetEncoding = getCharSetEncoding(pis,
>>> charSetEncoding);
>>> +
>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++ streamReader =
>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>> + } catch (IOException e) {
>>> + throw new XMLStreamException(e);
>>> + }
>>> +@@ -414,13 +414,16 @@
>>> + XOPAwareStAXOMBuilder stAXOMBuilder = new
>>> XOPAwareStAXOMBuilder(
>>> + streamReader, attachments);
>>> + builder = stAXOMBuilder;
>>> ++ ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> +
>>> + } else if (attachments.getAttachmentSpecType().equals(
>>> + MTOMConstants.SWA_TYPE)) {
>>> + builder = new StAXOMBuilder(streamReader);
>>> ++ ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> + } else if (attachments.getAttachmentSpecType().equals(
>>> + MTOMConstants.SWA_TYPE_12)) {
>>> + builder = new StAXOMBuilder(streamReader);
>>> ++ ((XOPAwareStAXOMBuilder)
>>> builder).setAllowDTDandPI(false);
>>> + }
>>> + }
>>> +
>>> +@@ -531,8 +534,8 @@
>>> + * @deprecated If some one really need this method, please shout.
>>> + */
>>> + public static StAXBuilder getBuilder(Reader in) throws
>>> XMLStreamException {
>>> +- XMLStreamReader xmlreader =
>>> StAXUtils.createXMLStreamReader(in);
>>> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
>>> null);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(in);
>>> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
>>> null);
>>> + return builder;
>>> + }
>>> +
>>> +@@ -544,8 +547,10 @@
>>> + * @throws XMLStreamException
>>> + */
>>> + public static StAXBuilder getBuilder(InputStream inStream)
>>> throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream);
>>> +- return new StAXOMBuilder(xmlReader);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> ++ return builder;
>>> + }
>>> +
>>> + /**
>>> +@@ -558,7 +563,7 @@
>>> + */
>>> + public static StAXBuilder getBuilder(InputStream inStream,
>>> String charSetEnc)
>>> + throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> + try {
>>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>>> + return builder;
>>> +@@ -580,7 +585,7 @@
>>> + * @throws XMLStreamException
>>> + */
>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream)
>>> throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream);
>>> + try {
>>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>>> + return builder;
>>> +@@ -604,7 +609,7 @@
>>> + */
>>> + public static StAXBuilder getSOAPBuilder(InputStream inStream,
>>> String charSetEnc)
>>> + throws XMLStreamException {
>>> +- XMLStreamReader xmlReader =
>>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>>> + try {
>>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>>> + return builder;
>>> +@@ -621,8 +626,9 @@
>>> + public static StAXBuilder getBuilder(SOAPFactory soapFactory,
>>> InputStream in, String charSetEnc)
>>> + throws XMLStreamException {
>>> + StAXBuilder builder;
>>> +- XMLStreamReader xmlreader =
>>> StAXUtils.createXMLStreamReader(in, charSetEnc);
>>> +- builder = new StAXOMBuilder(soapFactory, xmlreader);
>>> ++ XMLStreamReader xmlReader =
>>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
>>> ++ builder = new StAXOMBuilder(soapFactory, xmlReader);
>>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>>> + return builder;
>>> + }
>>> +
>>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>>> (working copy)
>>> +@@ -51,7 +51,7 @@
>>> + String actualCharSetEncoding =
>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>> +
>>> + // Get the XMLStreamReader for this input stream
>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> + StAXBuilder builder = new
>>> MTOMStAXSOAPModelBuilder(streamReader,
>>> + attachments);
>>> + SOAPEnvelope envelope = (SOAPEnvelope)
>>> builder.getDocumentElement();
>>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> +===================================================================
>>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> (revision 952555)
>>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>>> (working copy)
>>> +@@ -48,7 +48,7 @@
>>> + String actualCharSetEncoding =
>>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>>> +
>>> + // Get the XMLStreamReader for this input stream
>>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>>> actualCharSetEncoding);
>>> ++ streamReader =
>>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>>> +
>>> + StAXBuilder builder = new
>>> StAXSOAPModelBuilder(streamReader);
>>> + SOAPEnvelope envelope = (SOAPEnvelope)
>>> builder.getDocumentElement();
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> ---
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> (added)
>>> +++
>>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,267 @@
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>>
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>> (revision 949978)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>> (working copy)
>>> +@@ -52,6 +52,7 @@
>>> + private static final Log log =
>>> LogFactory.getLog(StAXOMBuilder.class);
>>> + private boolean doTrace = log.isDebugEnabled();
>>> + private static int nsCount = 0;
>>> ++ boolean allowDTDandPI = true;
>>> +
>>> + /**
>>> + * Constructor StAXOMBuilder.
>>> +@@ -309,6 +310,9 @@
>>> + * @throws OMException
>>> + */
>>> + protected OMNode createDTD() throws OMException {
>>> ++ if (!allowDTDandPI) {
>>> ++ throw new OMException("Inbound message MUST NOT contain
>>> a Document Type Declaration(DTD)");
>>> ++ }
>>> + if (!parser.hasText())
>>> + return null;
>>> + lastNode = omfactory.createOMDocType(document,
>>> parser.getText());
>>> +@@ -322,6 +326,9 @@
>>> + * @throws OMException
>>> + */
>>> + protected OMNode createPI() throws OMException {
>>> ++ if (!allowDTDandPI) {
>>> ++ throw new OMException("Inbound message MUST NOT contain
>>> Processing Instructions(PI)");
>>> ++ }
>>> + OMNode node;
>>> + String target = parser.getPITarget();
>>> + String data = parser.getPIData();
>>> +@@ -337,6 +344,20 @@
>>> + return node;
>>> + }
>>> +
>>> ++
>>> ++ /**
>>> ++ * @return true if Document Type Definitions and Processing
>>> Instructions are allowed
>>> ++ */
>>> ++ public boolean isAllowDTDandPI() {
>>> ++ return allowDTDandPI;
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * @param allowDTDandPI boolean
>>> ++ */
>>> ++ public void setAllowDTDandPI(boolean allowDTDandPI) {
>>> ++ this.allowDTDandPI = allowDTDandPI;
>>> ++ }
>>> + protected void endElement() {
>>> + if (lastNode.isComplete()) {
>>> + OMNodeEx parent = (OMNodeEx) lastNode.getParent();
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>>
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>> (revision 0)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>> (revision 0)
>>> +@@ -0,0 +1,47 @@
>>> ++/*
>>> ++ * Licensed to the Apache Software Foundation (ASF) under one
>>> ++ * or more contributor license agreements. See the NOTICE file
>>> ++ * distributed with this work for additional information
>>> ++ * regarding copyright ownership. The ASF licenses this file
>>> ++ * to you under the Apache License, Version 2.0 (the
>>> ++ * "License"); you may not use this file except in compliance
>>> ++ * with the License. You may obtain a copy of the License at
>>> ++ *
>>> ++ * http://www.apache.org/licenses/LICENSE-2.0
>>> ++ *
>>> ++ * Unless required by applicable law or agreed to in writing,
>>> ++ * software distributed under the License is distributed on an
>>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>>> ++ * KIND, either express or implied. See the License for the
>>> ++ * specific language governing permissions and limitations
>>> ++ * under the License.
>>> ++ */
>>> ++package org.apache.axiom.om.util;
>>> ++
>>> ++import javax.xml.stream.XMLResolver;
>>> ++import javax.xml.stream.XMLStreamException;
>>> ++
>>> ++import org.apache.commons.logging.Log;
>>> ++import org.apache.commons.logging.LogFactory;
>>> ++
>>> ++/**
>>> ++ * This XMLResolver is used whenever a secure XMLStreamReader
>>> ++ * is needed. Basically it thows an exception if an attempt
>>> ++ * is made to read an entity.
>>> ++ */
>>> ++public final class SecureXMLResolver implements XMLResolver {
>>> ++
>>> ++ private static Log log =
>>> LogFactory.getLog(SecureXMLResolver.class);
>>> ++ public Object resolveEntity(String arg0, String arg1, String arg2,
>>> ++ String arg3) throws XMLStreamException {
>>> ++ // Note Scheu:
>>> ++ // Do not expose the name of the entity that was attempted
>>> to be
>>> ++ // read as this will reveal secure information to the client.
>>> ++ if (log.isDebugEnabled()) {
>>> ++ log.debug("resolveEntity is disabled because this is a
>>> secure XMLStreamReader(" +
>>> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" +
>>> arg3 + ")");
>>> ++ }
>>> ++ throw new XMLStreamException("Reading external entities is
>>> disabled");
>>> ++ }
>>> ++
>>> ++}
>>> +\ No newline at end of file
>>> +
>>> +Property changes on:
>>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
>>>
>>> +___________________________________________________________________
>>> +Name: svn:mime-type
>>> + + text/plain
>>> +Name: svn:keywords
>>> + + Date Revision
>>> +Name: svn:eol-style
>>> + + native
>>> +
>>> +Index:
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> +===================================================================
>>> +---
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> (revision 949978)
>>> ++++
>>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>>> (working copy)
>>> +@@ -113,6 +113,39 @@
>>> + }
>>> + });
>>> +
>>> ++ private static final Pool secureXmlInputFactoryPool =
>>> ++ new Pool(new ObjectCreator[] { new ObjectCreator() {
>>> ++ public Object newObject() {
>>> ++ return AccessController.doPrivileged(new PrivilegedAction() {
>>> ++ public Object run() {
>>> ++ // return
>>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
>>> StAXUtils.class.getClassLoader());
>>> ++ // TODO: Refactor this code when the FactoryFinder.class in
>>> XLXP fixed and used instead of the Axis2-bundle version
>>> ++ // Try to simulate the above to create XMLInputFactory using
>>> the specific classloader
>>> ++ // This it not quite the same since it will modify the
>>> classloader for all classes
>>> ++ Thread currentThread = Thread.currentThread();
>>> ++ ClassLoader savedClassLoader =
>>> currentThread.getContextClassLoader();
>>> ++ XMLInputFactory factory = null;
>>> ++ try {
>>> ++
>>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
>>> ++ factory = XMLInputFactory.newInstance();
>>> ++
>>> ++ // The following setting disabled external entities...which
>>> is a requirement
>>> ++ // for network xml reading.
>>> ++ setSecureProperties(factory);
>>> ++ } finally {
>>> ++ currentThread.setContextClassLoader(savedClassLoader);
>>> ++ }
>>> ++ return factory;
>>> ++ }
>>> ++ });
>>> ++ }
>>> ++ }, new ObjectCreator() {
>>> ++ public Object newObject() {
>>> ++ return XMLInputFactory.newInstance();
>>> ++ }
>>> ++ } });
>>> ++
>>> ++
>>> + private static final Pool xmlOutputFactoryPool = new Pool(new
>>> ObjectCreator[] {
>>> + new ObjectCreator() {
>>> + public Object newObject() {
>>> +@@ -144,6 +177,106 @@
>>> + }
>>> + }
>>> + });
>>> ++
>>> ++ /**
>>> ++ * Gets an XMLInputFactory instance from pool.
>>> ++ *
>>> ++ * @return an XMLInputFactory instance.
>>> ++ */
>>> ++ private static XMLInputFactory getSecureXMLInputFactory() {
>>> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Returns an XMLInputFactory instance for reuse.
>>> ++ *
>>> ++ * @param factory An XMLInputFactory instance that is available
>>> for reuse
>>> ++ */
>>> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory
>>> factory) {
>>> ++ secureXmlInputFactoryPool.releaseInstance(factory);
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Create an XMLStreamReader that will be used to read a stream for
>>> ++ * an incoming message. We need to use more restrictive "secure"
>>> properties
>>> ++ * to ensure against attacks.
>>> ++ * @param in
>>> ++ * @param encoding
>>> ++ * @return
>>> ++ * @throws XMLStreamException
>>> ++ */
>>> ++ public static XMLStreamReader
>>> createSecureXMLStreamReader(InputStream in, String encoding)
>>> ++ throws XMLStreamException {
>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>> ++ try {
>>> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
>>> encoding);
>>> ++ if (isDebugEnabled) {
>>> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
>>> ++ }
>>> ++ return reader;
>>> ++ } finally {
>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>> ++ }
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Create an XMLStreamReader that will be used to read a
>>> stream for
>>> ++ * an incoming message. We need to use more restrictive
>>> "secure" properties
>>> ++ * to ensure against attacks.
>>> ++ * @param in
>>> ++ * @return
>>> ++ * @throws XMLStreamException
>>> ++ */
>>> ++ public static XMLStreamReader
>>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
>>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>>> ++ try {
>>> ++ XMLStreamReader reader =
>>> inputFactory.createXMLStreamReader(in);
>>> ++ if (isDebugEnabled) {
>>> ++ log.debug("XMLStreamReader is " +
>>> reader.getClass().getName());
>>> ++ }
>>> ++ return reader;
>>> ++ } finally {
>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>> ++ }
>>> ++ }
>>> ++
>>> ++ /**
>>> ++ * Create an XMLStreamReader that will be used to read a
>>> stream for
>>> ++ * an incoming message. We need to use more restrictive
>>> "secure" properties
>>> ++ * to ensure against attacks.
>>> ++ *
>>> ++ * @param in
>>> ++ * @return
>>> ++ * @throws XMLStreamException
>>> ++ */
>>> ++ public static XMLStreamReader
>>> createSecureXMLStreamReader(Reader in) throws XMLStreamException {
>>> ++ XMLInputFactory inputFactory = getXMLInputFactory();
>>> ++ try {
>>> ++ XMLStreamReader reader =
>>> inputFactory.createXMLStreamReader(in);
>>> ++ if (isDebugEnabled) {
>>> ++ log.debug("XMLStreamReader is " +
>>> reader.getClass().getName());
>>> ++ }
>>> ++ return reader;
>>> ++ } finally {
>>> ++ releaseSecureXMLInputFactory(inputFactory);
>>> ++ }
>>> ++ }
>>> ++
>>> ++ private static void setSecureProperties(XMLInputFactory f) {
>>> ++ // The goal is to prevent tampering of the message
>>> ++ // by external entities or denial of service
>>> ++ // replacing entities.
>>> ++ // Setting the following properties ensures this goal
>>> ++
>>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
>>> ++ Boolean.FALSE);
>>> ++
>>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
>>> ++ Boolean.FALSE);
>>> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
>>> ++ Boolean.FALSE);
>>> ++ f.setXMLResolver(new SecureXMLResolver());
>>> ++ }
>>> ++
>>> ++
>>> +
>>> +
>>> + private static Log log = LogFactory.getLog(StAXUtils.class);
>>>
>>> Added:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> Binary file - no diff available.
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> svn:mime-type = application/java-archive
>>>
>>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> URL:
>>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
>>>
>>> ==============================================================================
>>>
>>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> (added)
>>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> Thu Jun 10 08:45:57 2010
>>> @@ -0,0 +1,30 @@
>>> +Private Build of Axiom 1.2.5 for Geronimo.
>>> +
>>> +How to build Axiom 1.2.5
>>> +---------------------------------
>>> + Checkout the Axiom 1.2.5 tag
>>> + svn co
>>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
>>> +
>>> +
>>> +Apply the patch
>>> +-----------------
>>> + cd 1_2_5
>>> + patch -p0 -i axiom_api.patch
>>> +
>>> +Build Axiom 1.2.5
>>> +---------------
>>> + cd 1_2_5
>>> + mvn install
>>> +
>>> +Notes:
>>> + - Use Sun 1.5.x and Maven 2.0.9 build.
>>> +
>>> +
>>> +Patch Information
>>> +-----------------
>>> + axiom_api.patch - contains fixes for AXIS2-4450
>>> +
>>> +Copy patched jar files to appropriate locations
>>> +-----------------------------------------------
>>> + cd 1_2_5
>>> + cp
>>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>>
>>> \ No newline at end of file
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>> svn:eol-style = native
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>> svn:keywords = Date Revision
>>>
>>> Propchange:
>>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>>> ------------------------------------------------------------------------------
>>>
>>> svn:mime-type = text/plain
>>>
>>>
>>>
>>>
>>>
>>
>>
>
Re: svn commit: r953250 - in /geronimo/server/branches/2.1/repository/org/apache:
axis2/ axis2/axis2-kernel/1.3-G20090406/ ws/ ws/commons/ ws/commons/axiom/
ws/commons/axiom/axiom-api/ ws/commons/axiom/axiom-api/1.2.5/
Posted by Donald Woods <dw...@apache.org>.
But we're going to instruct existing 2.1.x users to copy it over the
existing jars in the server repository, right? Or are we going to
instruct them to create an artifact-alias entry to map all usage to the
new one (which may not work in all cases....)?
-Donald
On 6/10/10 9:10 AM, Rick McGuire wrote:
> Ashish,
>
> I think there are a couple of changes that need to be made for this update:
>
> 1) Since we're likely going to be making the Axis2 jar available for
> download before we have the release complete, the timestamp in the jar
> name should be updated so the different versions can be easily
> distinguished.
> 2) The checked in axiom jar should also carry a timestamp modifier
> (e.g., axiom-api-1.2.5-20100610).
>
> Rick
>
> On 6/10/2010 4:45 AM, ashishjain@apache.org wrote:
>> Author: ashishjain
>> Date: Thu Jun 10 08:45:57 2010
>> New Revision: 953250
>>
>> URL: http://svn.apache.org/viewvc?rev=953250&view=rev
>> Log:
>> GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
>>
>> Added:
>>
>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>> geronimo/server/branches/2.1/repository/org/apache/ws/
>>
>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
>>
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
>>
>>
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
>>
>>
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>> (with props)
>>
>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> (with props)
>> Modified:
>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>>
>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>
>>
>> Modified:
>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>> URL:
>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
>>
>> ==============================================================================
>>
>> ---
>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>> (original)
>> +++
>> geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
>> Thu Jun 10 08:45:57 2010
>> @@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
>> How to build Axis2 1.3-G20090406:
>> ---------------------------------
>> Checkout the Axis2 1.3 tag
>> - svn co
>> http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
>> axis2-1.3
>> + svn co
>> http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
>>
>>
>> Apply the patches
>> @@ -14,6 +14,7 @@ Apply the patches
>> patch -p0 -i metadata.patch
>> patch -p0 -i jaxws.patch
>> patch -p0 -i kernel.patch
>> + patch -p0 -i builder.patch
>>
>> Build Axis2 1.3
>> ---------------
>> @@ -32,6 +33,7 @@ Patch Information
>> metadata.patch - contains fixes for SEI with overloaded methods
>> jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations
>> kernel.patch - contains fixes for AXIS2-4279
>> + builder.patch - contains fixes for AXIS2-4450
>>
>> Copy patched jar files to appropriate locations
>> -----------------------------------------------
>>
>> Modified:
>> geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
>>
>> URL:
>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
>>
>> ==============================================================================
>>
>> Binary files - no diff available.
>>
>> Added:
>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>> URL:
>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
>>
>> ==============================================================================
>>
>> ---
>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>> (added)
>> +++
>> geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
>> Thu Jun 10 08:45:57 2010
>> @@ -0,0 +1,132 @@
>> +Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>> +===================================================================
>> +--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>> (revision 952555)
>> ++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
>> (working copy)
>> +@@ -192,9 +192,9 @@
>> + public static StAXBuilder getPOXBuilder(InputStream inStream,
>> String charSetEnc)
>> + throws XMLStreamException {
>> + StAXBuilder builder;
>> +- XMLStreamReader xmlreader =
>> +- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>> +- builder = new StAXOMBuilder(xmlreader);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>> ++ builder = new StAXOMBuilder(xmlReader);
>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>> + return builder;
>> + }
>> +
>> +@@ -374,7 +374,7 @@
>> + PushbackInputStream pis =
>> getPushbackInputStream(attachments.getSOAPPartInputStream());
>> + String actualCharSetEncoding = getCharSetEncoding(pis,
>> charSetEncoding);
>> +
>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>> actualCharSetEncoding);
>> ++ streamReader =
>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>> + } catch (IOException e) {
>> + throw new XMLStreamException(e);
>> + }
>> +@@ -414,13 +414,16 @@
>> + XOPAwareStAXOMBuilder stAXOMBuilder = new
>> XOPAwareStAXOMBuilder(
>> + streamReader, attachments);
>> + builder = stAXOMBuilder;
>> ++ ((XOPAwareStAXOMBuilder)
>> builder).setAllowDTDandPI(false);
>> +
>> + } else if (attachments.getAttachmentSpecType().equals(
>> + MTOMConstants.SWA_TYPE)) {
>> + builder = new StAXOMBuilder(streamReader);
>> ++ ((XOPAwareStAXOMBuilder)
>> builder).setAllowDTDandPI(false);
>> + } else if (attachments.getAttachmentSpecType().equals(
>> + MTOMConstants.SWA_TYPE_12)) {
>> + builder = new StAXOMBuilder(streamReader);
>> ++ ((XOPAwareStAXOMBuilder)
>> builder).setAllowDTDandPI(false);
>> + }
>> + }
>> +
>> +@@ -531,8 +534,8 @@
>> + * @deprecated If some one really need this method, please shout.
>> + */
>> + public static StAXBuilder getBuilder(Reader in) throws
>> XMLStreamException {
>> +- XMLStreamReader xmlreader =
>> StAXUtils.createXMLStreamReader(in);
>> +- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
>> null);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(in);
>> ++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
>> null);
>> + return builder;
>> + }
>> +
>> +@@ -544,8 +547,10 @@
>> + * @throws XMLStreamException
>> + */
>> + public static StAXBuilder getBuilder(InputStream inStream)
>> throws XMLStreamException {
>> +- XMLStreamReader xmlReader =
>> StAXUtils.createXMLStreamReader(inStream);
>> +- return new StAXOMBuilder(xmlReader);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(inStream);
>> ++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>> ++ return builder;
>> + }
>> +
>> + /**
>> +@@ -558,7 +563,7 @@
>> + */
>> + public static StAXBuilder getBuilder(InputStream inStream,
>> String charSetEnc)
>> + throws XMLStreamException {
>> +- XMLStreamReader xmlReader =
>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>> + try {
>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>> + return builder;
>> +@@ -580,7 +585,7 @@
>> + * @throws XMLStreamException
>> + */
>> + public static StAXBuilder getSOAPBuilder(InputStream inStream)
>> throws XMLStreamException {
>> +- XMLStreamReader xmlReader =
>> StAXUtils.createXMLStreamReader(inStream);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(inStream);
>> + try {
>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>> + return builder;
>> +@@ -604,7 +609,7 @@
>> + */
>> + public static StAXBuilder getSOAPBuilder(InputStream inStream,
>> String charSetEnc)
>> + throws XMLStreamException {
>> +- XMLStreamReader xmlReader =
>> StAXUtils.createXMLStreamReader(inStream, charSetEnc);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
>> + try {
>> + StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
>> + return builder;
>> +@@ -621,8 +626,9 @@
>> + public static StAXBuilder getBuilder(SOAPFactory soapFactory,
>> InputStream in, String charSetEnc)
>> + throws XMLStreamException {
>> + StAXBuilder builder;
>> +- XMLStreamReader xmlreader =
>> StAXUtils.createXMLStreamReader(in, charSetEnc);
>> +- builder = new StAXOMBuilder(soapFactory, xmlreader);
>> ++ XMLStreamReader xmlReader =
>> StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
>> ++ builder = new StAXOMBuilder(soapFactory, xmlReader);
>> ++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
>> + return builder;
>> + }
>> +
>> +Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>> +===================================================================
>> +--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>> (revision 952555)
>> ++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
>> (working copy)
>> +@@ -51,7 +51,7 @@
>> + String actualCharSetEncoding =
>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>> +
>> + // Get the XMLStreamReader for this input stream
>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>> actualCharSetEncoding);
>> ++ streamReader= StAXUtils.createSecureXMLStreamReader(pis,
>> actualCharSetEncoding);
>> + StAXBuilder builder = new
>> MTOMStAXSOAPModelBuilder(streamReader,
>> + attachments);
>> + SOAPEnvelope envelope = (SOAPEnvelope)
>> builder.getDocumentElement();
>> +Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>> +===================================================================
>> +--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>> (revision 952555)
>> ++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
>> (working copy)
>> +@@ -48,7 +48,7 @@
>> + String actualCharSetEncoding =
>> BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
>> +
>> + // Get the XMLStreamReader for this input stream
>> +- streamReader = StAXUtils.createXMLStreamReader(pis,
>> actualCharSetEncoding);
>> ++ streamReader =
>> StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
>> +
>> + StAXBuilder builder = new
>> StAXSOAPModelBuilder(streamReader);
>> + SOAPEnvelope envelope = (SOAPEnvelope)
>> builder.getDocumentElement();
>>
>> Added:
>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>> URL:
>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
>>
>> ==============================================================================
>>
>> ---
>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>> (added)
>> +++
>> geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
>> Thu Jun 10 08:45:57 2010
>> @@ -0,0 +1,267 @@
>> +Index:
>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>>
>> +===================================================================
>> +---
>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>> (revision 949978)
>> ++++
>> modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
>> (working copy)
>> +@@ -52,6 +52,7 @@
>> + private static final Log log =
>> LogFactory.getLog(StAXOMBuilder.class);
>> + private boolean doTrace = log.isDebugEnabled();
>> + private static int nsCount = 0;
>> ++ boolean allowDTDandPI = true;
>> +
>> + /**
>> + * Constructor StAXOMBuilder.
>> +@@ -309,6 +310,9 @@
>> + * @throws OMException
>> + */
>> + protected OMNode createDTD() throws OMException {
>> ++ if (!allowDTDandPI) {
>> ++ throw new OMException("Inbound message MUST NOT contain
>> a Document Type Declaration(DTD)");
>> ++ }
>> + if (!parser.hasText())
>> + return null;
>> + lastNode = omfactory.createOMDocType(document,
>> parser.getText());
>> +@@ -322,6 +326,9 @@
>> + * @throws OMException
>> + */
>> + protected OMNode createPI() throws OMException {
>> ++ if (!allowDTDandPI) {
>> ++ throw new OMException("Inbound message MUST NOT contain
>> Processing Instructions(PI)");
>> ++ }
>> + OMNode node;
>> + String target = parser.getPITarget();
>> + String data = parser.getPIData();
>> +@@ -337,6 +344,20 @@
>> + return node;
>> + }
>> +
>> ++
>> ++ /**
>> ++ * @return true if Document Type Definitions and Processing
>> Instructions are allowed
>> ++ */
>> ++ public boolean isAllowDTDandPI() {
>> ++ return allowDTDandPI;
>> ++ }
>> ++
>> ++ /**
>> ++ * @param allowDTDandPI boolean
>> ++ */
>> ++ public void setAllowDTDandPI(boolean allowDTDandPI) {
>> ++ this.allowDTDandPI = allowDTDandPI;
>> ++ }
>> + protected void endElement() {
>> + if (lastNode.isComplete()) {
>> + OMNodeEx parent = (OMNodeEx) lastNode.getParent();
>> +Index:
>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>>
>> +===================================================================
>> +---
>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>> (revision 0)
>> ++++
>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
>> (revision 0)
>> +@@ -0,0 +1,47 @@
>> ++/*
>> ++ * Licensed to the Apache Software Foundation (ASF) under one
>> ++ * or more contributor license agreements. See the NOTICE file
>> ++ * distributed with this work for additional information
>> ++ * regarding copyright ownership. The ASF licenses this file
>> ++ * to you under the Apache License, Version 2.0 (the
>> ++ * "License"); you may not use this file except in compliance
>> ++ * with the License. You may obtain a copy of the License at
>> ++ *
>> ++ * http://www.apache.org/licenses/LICENSE-2.0
>> ++ *
>> ++ * Unless required by applicable law or agreed to in writing,
>> ++ * software distributed under the License is distributed on an
>> ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
>> ++ * KIND, either express or implied. See the License for the
>> ++ * specific language governing permissions and limitations
>> ++ * under the License.
>> ++ */
>> ++package org.apache.axiom.om.util;
>> ++
>> ++import javax.xml.stream.XMLResolver;
>> ++import javax.xml.stream.XMLStreamException;
>> ++
>> ++import org.apache.commons.logging.Log;
>> ++import org.apache.commons.logging.LogFactory;
>> ++
>> ++/**
>> ++ * This XMLResolver is used whenever a secure XMLStreamReader
>> ++ * is needed. Basically it thows an exception if an attempt
>> ++ * is made to read an entity.
>> ++ */
>> ++public final class SecureXMLResolver implements XMLResolver {
>> ++
>> ++ private static Log log =
>> LogFactory.getLog(SecureXMLResolver.class);
>> ++ public Object resolveEntity(String arg0, String arg1, String arg2,
>> ++ String arg3) throws XMLStreamException {
>> ++ // Note Scheu:
>> ++ // Do not expose the name of the entity that was attempted
>> to be
>> ++ // read as this will reveal secure information to the client.
>> ++ if (log.isDebugEnabled()) {
>> ++ log.debug("resolveEntity is disabled because this is a
>> secure XMLStreamReader(" +
>> ++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" +
>> arg3 + ")");
>> ++ }
>> ++ throw new XMLStreamException("Reading external entities is
>> disabled");
>> ++ }
>> ++
>> ++}
>> +\ No newline at end of file
>> +
>> +Property changes on:
>> modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
>>
>> +___________________________________________________________________
>> +Name: svn:mime-type
>> + + text/plain
>> +Name: svn:keywords
>> + + Date Revision
>> +Name: svn:eol-style
>> + + native
>> +
>> +Index:
>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>> +===================================================================
>> +---
>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>> (revision 949978)
>> ++++
>> modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
>> (working copy)
>> +@@ -113,6 +113,39 @@
>> + }
>> + });
>> +
>> ++ private static final Pool secureXmlInputFactoryPool =
>> ++ new Pool(new ObjectCreator[] { new ObjectCreator() {
>> ++ public Object newObject() {
>> ++ return AccessController.doPrivileged(new PrivilegedAction() {
>> ++ public Object run() {
>> ++ // return
>> XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
>> StAXUtils.class.getClassLoader());
>> ++ // TODO: Refactor this code when the FactoryFinder.class in
>> XLXP fixed and used instead of the Axis2-bundle version
>> ++ // Try to simulate the above to create XMLInputFactory using
>> the specific classloader
>> ++ // This it not quite the same since it will modify the
>> classloader for all classes
>> ++ Thread currentThread = Thread.currentThread();
>> ++ ClassLoader savedClassLoader =
>> currentThread.getContextClassLoader();
>> ++ XMLInputFactory factory = null;
>> ++ try {
>> ++
>> currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
>> ++ factory = XMLInputFactory.newInstance();
>> ++
>> ++ // The following setting disabled external entities...which
>> is a requirement
>> ++ // for network xml reading.
>> ++ setSecureProperties(factory);
>> ++ } finally {
>> ++ currentThread.setContextClassLoader(savedClassLoader);
>> ++ }
>> ++ return factory;
>> ++ }
>> ++ });
>> ++ }
>> ++ }, new ObjectCreator() {
>> ++ public Object newObject() {
>> ++ return XMLInputFactory.newInstance();
>> ++ }
>> ++ } });
>> ++
>> ++
>> + private static final Pool xmlOutputFactoryPool = new Pool(new
>> ObjectCreator[] {
>> + new ObjectCreator() {
>> + public Object newObject() {
>> +@@ -144,6 +177,106 @@
>> + }
>> + }
>> + });
>> ++
>> ++ /**
>> ++ * Gets an XMLInputFactory instance from pool.
>> ++ *
>> ++ * @return an XMLInputFactory instance.
>> ++ */
>> ++ private static XMLInputFactory getSecureXMLInputFactory() {
>> ++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
>> ++ }
>> ++
>> ++ /**
>> ++ * Returns an XMLInputFactory instance for reuse.
>> ++ *
>> ++ * @param factory An XMLInputFactory instance that is available
>> for reuse
>> ++ */
>> ++ private static void releaseSecureXMLInputFactory(XMLInputFactory
>> factory) {
>> ++ secureXmlInputFactoryPool.releaseInstance(factory);
>> ++ }
>> ++
>> ++ /**
>> ++ * Create an XMLStreamReader that will be used to read a stream for
>> ++ * an incoming message. We need to use more restrictive "secure"
>> properties
>> ++ * to ensure against attacks.
>> ++ * @param in
>> ++ * @param encoding
>> ++ * @return
>> ++ * @throws XMLStreamException
>> ++ */
>> ++ public static XMLStreamReader
>> createSecureXMLStreamReader(InputStream in, String encoding)
>> ++ throws XMLStreamException {
>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>> ++ try {
>> ++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
>> encoding);
>> ++ if (isDebugEnabled) {
>> ++ log.debug("XMLStreamReader is " + reader.getClass().getName());
>> ++ }
>> ++ return reader;
>> ++ } finally {
>> ++ releaseSecureXMLInputFactory(inputFactory);
>> ++ }
>> ++ }
>> ++
>> ++ /**
>> ++ * Create an XMLStreamReader that will be used to read a
>> stream for
>> ++ * an incoming message. We need to use more restrictive
>> "secure" properties
>> ++ * to ensure against attacks.
>> ++ * @param in
>> ++ * @return
>> ++ * @throws XMLStreamException
>> ++ */
>> ++ public static XMLStreamReader
>> createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
>> ++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
>> ++ try {
>> ++ XMLStreamReader reader =
>> inputFactory.createXMLStreamReader(in);
>> ++ if (isDebugEnabled) {
>> ++ log.debug("XMLStreamReader is " +
>> reader.getClass().getName());
>> ++ }
>> ++ return reader;
>> ++ } finally {
>> ++ releaseSecureXMLInputFactory(inputFactory);
>> ++ }
>> ++ }
>> ++
>> ++ /**
>> ++ * Create an XMLStreamReader that will be used to read a
>> stream for
>> ++ * an incoming message. We need to use more restrictive
>> "secure" properties
>> ++ * to ensure against attacks.
>> ++ *
>> ++ * @param in
>> ++ * @return
>> ++ * @throws XMLStreamException
>> ++ */
>> ++ public static XMLStreamReader
>> createSecureXMLStreamReader(Reader in) throws XMLStreamException {
>> ++ XMLInputFactory inputFactory = getXMLInputFactory();
>> ++ try {
>> ++ XMLStreamReader reader =
>> inputFactory.createXMLStreamReader(in);
>> ++ if (isDebugEnabled) {
>> ++ log.debug("XMLStreamReader is " +
>> reader.getClass().getName());
>> ++ }
>> ++ return reader;
>> ++ } finally {
>> ++ releaseSecureXMLInputFactory(inputFactory);
>> ++ }
>> ++ }
>> ++
>> ++ private static void setSecureProperties(XMLInputFactory f) {
>> ++ // The goal is to prevent tampering of the message
>> ++ // by external entities or denial of service
>> ++ // replacing entities.
>> ++ // Setting the following properties ensures this goal
>> ++
>> f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
>> ++ Boolean.FALSE);
>> ++
>> f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
>> ++ Boolean.FALSE);
>> ++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
>> ++ Boolean.FALSE);
>> ++ f.setXMLResolver(new SecureXMLResolver());
>> ++ }
>> ++
>> ++
>> +
>> +
>> + private static Log log = LogFactory.getLog(StAXUtils.class);
>>
>> Added:
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>
>> URL:
>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
>>
>> ==============================================================================
>>
>> Binary file - no diff available.
>>
>> Propchange:
>> geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>
>> ------------------------------------------------------------------------------
>>
>> svn:mime-type = application/java-archive
>>
>> Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> URL:
>> http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
>>
>> ==============================================================================
>>
>> --- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> (added)
>> +++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> Thu Jun 10 08:45:57 2010
>> @@ -0,0 +1,30 @@
>> +Private Build of Axiom 1.2.5 for Geronimo.
>> +
>> +How to build Axiom 1.2.5
>> +---------------------------------
>> + Checkout the Axiom 1.2.5 tag
>> + svn co
>> http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
>> +
>> +
>> +Apply the patch
>> +-----------------
>> + cd 1_2_5
>> + patch -p0 -i axiom_api.patch
>> +
>> +Build Axiom 1.2.5
>> +---------------
>> + cd 1_2_5
>> + mvn install
>> +
>> +Notes:
>> + - Use Sun 1.5.x and Maven 2.0.9 build.
>> +
>> +
>> +Patch Information
>> +-----------------
>> + axiom_api.patch - contains fixes for AXIS2-4450
>> +
>> +Copy patched jar files to appropriate locations
>> +-----------------------------------------------
>> + cd 1_2_5
>> + cp
>> modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
>>
>> \ No newline at end of file
>>
>> Propchange:
>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> ------------------------------------------------------------------------------
>>
>> svn:eol-style = native
>>
>> Propchange:
>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> ------------------------------------------------------------------------------
>>
>> svn:keywords = Date Revision
>>
>> Propchange:
>> geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
>> ------------------------------------------------------------------------------
>>
>> svn:mime-type = text/plain
>>
>>
>>
>>
>
>