[jira] [Commented] (OFBIZ-6916) Upgrade Axis2 to 1.7.0

["Jacques Le Roux (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/OFBIZ-6916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15183784#comment-15183784 ] 

Jacques Le Roux commented on OFBIZ-6916:
----------------------------------------

Commited in 
trunk r1733956  
R15.12 r1733957
R14.12 r1733958+r1733959
R13.07 r1733991

Note: there is a newer Axis2 1.7.1 version https://axis.apache.org/axis2/java/core/release-notes/1.7.1.html. OOTB we don't use ADB but better to get the last version anyway. I will change the issue title.

Replacing Axis2 1.6.3 by 1.7.1 version is easy as long as you don't try to replace the commons-httpclient-3.1 lib. The only noticeable change is this warning shown in log
    |http-bio-8443-exec-1 |AxisConfigBuilder             |W| Unable to instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug logs for more details|
It has no effects on the SOAP test services, both works.

But the main goal of this issue is a security update because commons-httpclient-3.1 lib is deprecated, no longer maintained and vulnerable and must be replaced.

This commit also concerns OFBIZ-6755 but to not mix things OFBIZ-6755 will be completed later. So to not block this issue, the commons-httpclient-3.1 lib is moved from framework/service/lib to specialpurpose/passport/lib/ where it's still required.

Normally, as explained at https://axis.apache.org/axis2/java/core/release-notes/1.7.0.html, Axis2 1.7.1 requires "HttpClient 4.2.x and should work with 4.3.x and 4.4.x, but is incompatible with 4.5.x". I did not replace commons-httpclient-3.1 by HttpClient 4.2.1, which is bundled with Axis2 1.7.1, because we have already HttpClient/Core 4.4.1 in base/lib and it works well as is (HttpClient/Core 4.4.1 is in the classpath).

To use HttpClient/Core 4.4.1 you need to change the axis2.xml files as specified in the 1.7.0 release note. But where to place this file in OFBiz is not obvious! 

I decided the best way was to use Axis2 ConfigurationContextFactory.createConfigurationContextFromFileSystem() method to let know Axis2 we want the new httpclient instead of the default one (I really don't understand why the Axis2 team still prefers commons-httpclient-3.1 as default). I had to pass both locations to avoid hardcoding the repository location in the axis2.xml file.

I have also decided the best place for the "Axis2 repository" (as they call it) was in framework/service/axis2. So following Axis2 convention http://wso2.com/library/tutorials/axis2-repository/ I put the axis2.xml file in framework/service/axis2/conf.
Note: the Axis2 repository could be used to put [Apache Rampart|https://axis.apache.org/axis2/java/rampart/] as a module to secure web services...

After this change, there are a number of warnings thrown by Axis2 but they are actually interesting as they provide guidance for future use of modules and such (notably Apache Rampart)
    |ttp-bio-8443-exec-10 |Utils                         |W| [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher
    |ttp-bio-8443-exec-10 |Utils                         |W| [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher
    |ttp-bio-8443-exec-10 |Utils                         |W| [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandChecker
    |ttp-bio-8443-exec-10 |Utils                         |W| [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher
    |ttp-bio-8443-exec-10 |Utils                         |W| [JAXWS] - unable to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher
    |ttp-bio-8443-exec-10 |AxisConfigBuilder             |W| Unable to instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug logs for more details
    |ttp-bio-8443-exec-10 |AxisConfigBuilder             |W| Unable to instantiate deployer org.apache.axis2.jaxws.framework.JAXWSDeployer; see debug logs for more details


While at it I replaced StAXOMBuilder (deprecated) by OMXMLBuilderFactory

I will backport the changes in the supporterd releases branches but R12.04. Others all use HttpClient/Core version older than 4.2.1. I'm aware I will have to handle several conflicts by hand, some are easy others "harder". We have the passport component only in R15.12, it will be easy to neglect in older releases. I expect more work with the LICENSE file and even more with the .classpath file. Since R15.12 we use tabs in it (Adrian rightly told us to use Eclipse internal tools to edit this file, though I noted it does not respect the alphabetical order) but older releases still use spaces (and this is often a pain now, but a bright future ahead ;))

Crossing fingers with this commit, I have other changes pending in this instance (notably for OFBIZ-6849) and it got quite complicated.



> Upgrade Axis2 to 1.7.0
> ----------------------
>
>                 Key: OFBIZ-6916
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-6916
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>
> With OFBIZ-5801 I recently upgraded Axis2 to 1.6.3. But it still uses commons-httpclient-3.1 which is not only deprecated but also faces a number of vulnerabilties:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> This will also help to resolve OFBIZ-6755 (passport component)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)