You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Robert Mecklenburg <me...@realmsys.com> on 2004/05/11 21:24:51 UTC
Abort a axis handler chain
I'm pretty new to SOAP and Axis, so I'm not sure how to do this:
I want to implement a service that authenticates the caller (using a
certificate in the message). If the user is not authorized to invoke
the service, I want *no response* sent at all. No return value, no
exception, nothing. Is this possible?
Thanks,
--
Robert
RE: Abort a axis handler chain
Posted by Robert Lowe <rm...@rmlowe.com>.
Perhaps it would be possible to put a ServletFilter in front of Axis that
filters out the response body under certain conditions?
Best regards,
Robert Lowe
http://RMLowe.com/
-----Original Message-----
From: Nelson Minar [mailto:nelson@monkey.org]
Sent: Wednesday, May 12, 2004 11:31 PM
To: axis-user@ws.apache.org
Subject: RE: Abort a axis handler chain
>I want to implement a service that authenticates the caller (using a
>certificate in the message). If the user is not authorized to invoke
>the service, I want *no response* sent at all. No return value, no
>exception, nothing. Is this possible?
I agree with Anne, this is a somewhat unnatural thing to want to do.
The simple thing would be to simply return a SOAP Fault: the caller
would get a 500 error back with some basic data in the body.
If you really want to send back *nothing*, you may get somewhere by
grabbing the underlying HttpServletRequest from the Axis
MessageContext and forcibly calling close() on it. It will probably
make the rest of Axis unhappy, but it may work.
Another option is to do something in your servlet engine that Axis is
living inside of.
RE: Abort a axis handler chain
Posted by Nelson Minar <ne...@monkey.org>.
>I want to implement a service that authenticates the caller (using a
>certificate in the message). If the user is not authorized to invoke
>the service, I want *no response* sent at all. No return value, no
>exception, nothing. Is this possible?
I agree with Anne, this is a somewhat unnatural thing to want to do.
The simple thing would be to simply return a SOAP Fault: the caller
would get a 500 error back with some basic data in the body.
If you really want to send back *nothing*, you may get somewhere by
grabbing the underlying HttpServletRequest from the Axis
MessageContext and forcibly calling close() on it. It will probably
make the rest of Axis unhappy, but it may work.
Another option is to do something in your servlet engine that Axis is
living inside of.
RE: Abort a axis handler chain
Posted by Robert Mecklenburg <me...@realmsys.com>.
RM> I want to implement a service that authenticates the caller (using a
RM> certificate in the message). If the user is not authorized to invoke
RM> the service, I want *no response* sent at all. No return value, no
RM> exception, nothing. Is this possible?
Anne Thomas Manes writes:
ATM> If the service is defined as a request/response pattern, then I don't think
ATM> that's possible. You should return a SOAP Fault, but you might consider
ATM> sending back an HTTP error instead.
Nelson Minar writes:
NM> I agree with Anne, this is a somewhat unnatural thing to want to do.
NM> The simple thing would be to simply return a SOAP Fault: the caller
NM> would get a 500 error back with some basic data in the body.
We are very concerned about security in our server. If a "bad guy"
attacks our server we don't want: a) to reveal any information about
the failed authentication, or b) to place any further burden on the
underlying network. The response could contribute to a DoS attack,
for instance.
I'll investigate your suggestions (and Robert Lowe's), thank you. In
the meantime, we came up with these two possibilities:
1. We could spawn a thread to process the soap message and
pre-emptively terminate the thread in the event of an
authentication failure.
2. Re-write the return address in the soap header to route the
message into the bit bucket or to another soap client of our own
choosing (which would dump the response in the bit bucket).
Do either of these sound promising?
Thanks,
--
Robert
RE: Abort a axis handler chain
Posted by Anne Thomas Manes <an...@manes.net>.
If the service is defined as a request/response pattern, then I don't think
that's possible. You should return a SOAP Fault, but you might consider
sending back an HTTP error instead.
Anne
-----Original Message-----
From: Robert Mecklenburg [mailto:mecklen@realmsys.com]
Sent: Tuesday, May 11, 2004 3:25 PM
To: Axis Users
Subject: Abort a axis handler chain
I'm pretty new to SOAP and Axis, so I'm not sure how to do this:
I want to implement a service that authenticates the caller (using a
certificate in the message). If the user is not authorized to invoke
the service, I want *no response* sent at all. No return value, no
exception, nothing. Is this possible?
Thanks,
--
Robert