You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by Amila Suriarachchi <am...@gmail.com> on 2007/12/19 05:30:40 UTC
[Axis2] Dispatch order
hi all,
1. Here is a code segment found in the org.apache.axis2.engine.DispatchPhase
checkPostConditions method.
if (operation == null &&
JavaUtils.isTrue(service.getParameterValue(
AxisService.SUPPORT_SINGLE_OP))) {
Iterator ops = service.getOperations();
// If there's exactly one, that's the one we want. If there's
more, forget it.
if (ops.hasNext()) {
operation = (AxisOperation)ops.next();
if (ops.hasNext()) {
operation = null;
}
}
msgContext.setAxisOperation(operation);
}
What it basically doing is that dispatch the operation if the
AxisService.SUPPORT_SINGLE_OP parameter is set and
there is only one operation on it.
Isn't this dispatcher supposed to run just after service being dispatched?
i.e as the first dispatcher of the Tranport phase.
Think about the scenario where this operation is engaged security. in this
case it should dispatched before the security.
I think any dispatcher which is possible to run before the security should
run before it.
2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
Transport and Dispatch phases.
Is there any reason for this? or is it an obsolete code to keep this in
Dispatch phase?
Shall I do the above changes?
thanks,
Amila.
--
Amila Suriarachchi,
WSO2 Inc.
Re: [Axis2] Dispatch order
Posted by Nandana Mihindukulasooriya <na...@gmail.com>.
Hi,
Sometimes we may not need this change and have to move the security phase
> after dispatching. Please see the possible two security attacks I have
> mentioned here.
I think we have to have the operation dispatched before the security phase
in all cases.
Otherwise there will be no way of doing a proper security validation because
we can't
get the operation level ( and also message level ) security constraints and
requirements.
But then, something like body based dispatching will not be possible in
some scenarios
when security is engaged, because the body may still not be decrypted when
it comes to
dispatching. will this be a problem ? IFAIK, According to the soap spec
"An HTTP client MUST use SOAPAction header field when issuing a SOAP HTTP
Request."
Regards,
Nandana
Re: [Axis2] Dispatch order
Posted by Amila Suriarachchi <am...@gmail.com>.
Sometimes we may not need this change and have to move the security phase
after dispatching. Please see the possible two security attacks I have
mentioned here.
https://issues.apache.org/jira/browse/RAMPART-127
Thanks,
Amila.
On Dec 20, 2007 11:24 AM, Amila Suriarachchi <am...@gmail.com>
wrote:
>
>
> On Dec 20, 2007 8:06 AM, Sanjiva Weerawarana <sa...@opensource.lk>
> wrote:
>
> > The issue here is whether SUPPORT_SINGLE_OP takes priority or the
> > sequence
> > of deployers do.
>
> No. the matter is whether this dispatch should run before the security
> phase or not.
> just think the senario where this operation has a signature verification
> security policy.
> in that case if this dispatcher runs after security is attack can happen.
> https://issues.apache.org/jira/browse/RAMPART-127
>
> That is, right now it appears that SSO
>
> is tested at the
> > end of the dispatch phase .. which just makes sure that if that property
> >
> > has been set it overrides everything else.
> >
> > Service dispatch also happens in the dispatch phase often ...
>
> yes that is correct, but I am thinking about the scenario where this
> dispatcher taking place.
>
> so I think
> > the code is right.
> >
> > Sanjiva.
> >
> > David Illsley wrote:
> > > Um, presumably it should go after the RequestURIBasedDispatcher so you
> > > don't have to redo the service dispatch?
> > > David
> > >
> > > On Dec 19, 2007 3:27 PM, Amila Suriarachchi <
> > amilasuriarachchi@gmail.com> wrote:
> > >>
> > >>
> > >> On Dec 19, 2007 8:32 PM, David Illsley <davidillsley@gmail.com >
> > wrote:
> > >>> So what's the plan? Where are you going to move the code to?
> > >> yes. What I thought was to get this code to a separate dispatcher
> > and set
> > >> this dispatcher as the first
> > >> dispatcher in the Transport phase.
> > >>
> > >> Amila
> > >>>
> > >>>
> > >>>
> > >>> David
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> On Dec 19, 2007 7:11 AM, Amila Suriarachchi <
> > amilasuriarachchi@gmail.com>
> > >> wrote:
> > >>>>
> > >>>>
> > >>>> On Dec 19, 2007 10:00 AM, Amila Suriarachchi
> > >> < amilasuriarachchi@gmail.com >
> > >>>> wrote:
> > >>>>> hi all,
> > >>>>>
> > >>>>> 1. Here is a code segment found in the
> > >>>> org.apache.axis2.engine.DispatchPhase
> > >>>>> checkPostConditions method.
> > >>>>>
> > >>>>> if (operation == null &&
> > >>>>> JavaUtils.isTrue(service.getParameterValue
> > >>>> (AxisService.SUPPORT_SINGLE_OP))) {
> > >>>>> Iterator ops = service.getOperations();
> > >>>>> // If there's exactly one, that's the one we want. If
> >
> > >> there's
> > >>>> more, forget it.
> > >>>>> if (ops.hasNext ()) {
> > >>>>> operation = (AxisOperation)ops.next();
> > >>>>> if ( ops.hasNext()) {
> > >>>>> operation = null;
> > >>>>> }
> > >>>>> }
> > >>>>> msgContext.setAxisOperation (operation);
> > >>>>> }
> > >>>>>
> > >>>>> What it basically doing is that dispatch the operation if the
> > >>>> AxisService.SUPPORT_SINGLE_OP parameter is set and
> > >>>>> there is only one operation on it.
> > >>>>> Isn't this dispatcher supposed to run just after service being
> > >> dispatched?
> > >>>> i.e as the first dispatcher of the Tranport phase.
> > >>>>> Think about the scenario where this operation is engaged security.
> > in
> > >> this
> > >>>> case it should dispatched before the security.
> > >>>>> I think any dispatcher which is possible to run before the
> > security
> > >> should
> > >>>> run before it.
> > >>>>
> > >>>> I found this security hole and I the only option to fix it to add
> > a
> > >> handler
> > >>>> as the last phase to dispatch
> > >>>> to check whether the security is applied or not.
> > >>>> https://issues.apache.org/jira/browse/RAMPART-127
> > >>>>
> > >>>> So we need to move this before security definitely.
> > >>>>
> > >>>>>
> > >>>>> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are
> > both in
> > >>>> Transport and Dispatch phases.
> > >>>>> Is there any reason for this? or is it an obsolete code to keep
> > this
> > >> in
> > >>>> Dispatch phase?
> > >>>>> Shall I do the above changes?
> > >>>>>
> > >>>>> thanks,
> > >>>>> Amila.
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> --
> > >>>>> Amila Suriarachchi,
> > >>>>> WSO2 Inc.
> > >>>>
> > >>>>
> > >>>> --
> > >>>> Amila Suriarachchi,
> > >>>> WSO2 Inc.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> David Illsley - IBM Web Services Development
> > >>>
> > >>>
> > ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> > >>> For additional commands, e-mail: axis-dev-help@ws.apache.org
> > >>>
> > >>>
> > >>
> > >>
> > >> --
> > >> Amila Suriarachchi,
> > >> WSO2 Inc.
> > >
> > >
> > >
> >
> > --
> > Sanjiva Weerawarana, Ph.D.
> > Founder & Director; Lanka Software Foundation; http://www.opensource.lk/
> > Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
> > Member; Apache Software Foundation; http://www.apache.org/
> > Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-dev-help@ws.apache.org
> >
> >
>
>
> --
> Amila Suriarachchi,
> WSO2 Inc.
--
Amila Suriarachchi,
WSO2 Inc.
Re: [Axis2] Dispatch order
Posted by Amila Suriarachchi <am...@gmail.com>.
On Dec 20, 2007 8:06 AM, Sanjiva Weerawarana <sa...@opensource.lk> wrote:
> The issue here is whether SUPPORT_SINGLE_OP takes priority or the sequence
> of deployers do.
No. the matter is whether this dispatch should run before the security phase
or not.
just think the senario where this operation has a signature verification
security policy.
in that case if this dispatcher runs after security is attack can happen.
https://issues.apache.org/jira/browse/RAMPART-127
That is, right now it appears that SSO
is tested at the
> end of the dispatch phase .. which just makes sure that if that property
> has been set it overrides everything else.
>
> Service dispatch also happens in the dispatch phase often ...
yes that is correct, but I am thinking about the scenario where this
dispatcher taking place.
so I think
> the code is right.
>
> Sanjiva.
>
> David Illsley wrote:
> > Um, presumably it should go after the RequestURIBasedDispatcher so you
> > don't have to redo the service dispatch?
> > David
> >
> > On Dec 19, 2007 3:27 PM, Amila Suriarachchi <am...@gmail.com>
> wrote:
> >>
> >>
> >> On Dec 19, 2007 8:32 PM, David Illsley <da...@gmail.com> wrote:
> >>> So what's the plan? Where are you going to move the code to?
> >> yes. What I thought was to get this code to a separate dispatcher and
> set
> >> this dispatcher as the first
> >> dispatcher in the Transport phase.
> >>
> >> Amila
> >>>
> >>>
> >>>
> >>> David
> >>>
> >>>
> >>>
> >>>
> >>> On Dec 19, 2007 7:11 AM, Amila Suriarachchi <
> amilasuriarachchi@gmail.com>
> >> wrote:
> >>>>
> >>>>
> >>>> On Dec 19, 2007 10:00 AM, Amila Suriarachchi
> >> <amilasuriarachchi@gmail.com >
> >>>> wrote:
> >>>>> hi all,
> >>>>>
> >>>>> 1. Here is a code segment found in the
> >>>> org.apache.axis2.engine.DispatchPhase
> >>>>> checkPostConditions method.
> >>>>>
> >>>>> if (operation == null &&
> >>>>> JavaUtils.isTrue(service.getParameterValue
> >>>> (AxisService.SUPPORT_SINGLE_OP))) {
> >>>>> Iterator ops = service.getOperations();
> >>>>> // If there's exactly one, that's the one we want. If
> >> there's
> >>>> more, forget it.
> >>>>> if (ops.hasNext ()) {
> >>>>> operation = (AxisOperation)ops.next();
> >>>>> if (ops.hasNext()) {
> >>>>> operation = null;
> >>>>> }
> >>>>> }
> >>>>> msgContext.setAxisOperation (operation);
> >>>>> }
> >>>>>
> >>>>> What it basically doing is that dispatch the operation if the
> >>>> AxisService.SUPPORT_SINGLE_OP parameter is set and
> >>>>> there is only one operation on it.
> >>>>> Isn't this dispatcher supposed to run just after service being
> >> dispatched?
> >>>> i.e as the first dispatcher of the Tranport phase.
> >>>>> Think about the scenario where this operation is engaged security.
> in
> >> this
> >>>> case it should dispatched before the security.
> >>>>> I think any dispatcher which is possible to run before the security
> >> should
> >>>> run before it.
> >>>>
> >>>> I found this security hole and I the only option to fix it to add a
> >> handler
> >>>> as the last phase to dispatch
> >>>> to check whether the security is applied or not.
> >>>> https://issues.apache.org/jira/browse/RAMPART-127
> >>>>
> >>>> So we need to move this before security definitely.
> >>>>
> >>>>>
> >>>>> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both
> in
> >>>> Transport and Dispatch phases.
> >>>>> Is there any reason for this? or is it an obsolete code to keep this
> >> in
> >>>> Dispatch phase?
> >>>>> Shall I do the above changes?
> >>>>>
> >>>>> thanks,
> >>>>> Amila.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> Amila Suriarachchi,
> >>>>> WSO2 Inc.
> >>>>
> >>>>
> >>>> --
> >>>> Amila Suriarachchi,
> >>>> WSO2 Inc.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> --
> >>> David Illsley - IBM Web Services Development
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> >>> For additional commands, e-mail: axis-dev-help@ws.apache.org
> >>>
> >>>
> >>
> >>
> >> --
> >> Amila Suriarachchi,
> >> WSO2 Inc.
> >
> >
> >
>
> --
> Sanjiva Weerawarana, Ph.D.
> Founder & Director; Lanka Software Foundation; http://www.opensource.lk/
> Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
> Member; Apache Software Foundation; http://www.apache.org/
> Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>
--
Amila Suriarachchi,
WSO2 Inc.
Re: [Axis2] Dispatch order
Posted by Sanjiva Weerawarana <sa...@opensource.lk>.
The issue here is whether SUPPORT_SINGLE_OP takes priority or the sequence
of deployers do. That is, right now it appears that SSO is tested at the
end of the dispatch phase .. which just makes sure that if that property
has been set it overrides everything else.
Service dispatch also happens in the dispatch phase often ... so I think
the code is right.
Sanjiva.
David Illsley wrote:
> Um, presumably it should go after the RequestURIBasedDispatcher so you
> don't have to redo the service dispatch?
> David
>
> On Dec 19, 2007 3:27 PM, Amila Suriarachchi <am...@gmail.com> wrote:
>>
>>
>> On Dec 19, 2007 8:32 PM, David Illsley <da...@gmail.com> wrote:
>>> So what's the plan? Where are you going to move the code to?
>> yes. What I thought was to get this code to a separate dispatcher and set
>> this dispatcher as the first
>> dispatcher in the Transport phase.
>>
>> Amila
>>>
>>>
>>>
>>> David
>>>
>>>
>>>
>>>
>>> On Dec 19, 2007 7:11 AM, Amila Suriarachchi < amilasuriarachchi@gmail.com>
>> wrote:
>>>>
>>>>
>>>> On Dec 19, 2007 10:00 AM, Amila Suriarachchi
>> <amilasuriarachchi@gmail.com >
>>>> wrote:
>>>>> hi all,
>>>>>
>>>>> 1. Here is a code segment found in the
>>>> org.apache.axis2.engine.DispatchPhase
>>>>> checkPostConditions method.
>>>>>
>>>>> if (operation == null &&
>>>>> JavaUtils.isTrue(service.getParameterValue
>>>> (AxisService.SUPPORT_SINGLE_OP))) {
>>>>> Iterator ops = service.getOperations();
>>>>> // If there's exactly one, that's the one we want. If
>> there's
>>>> more, forget it.
>>>>> if (ops.hasNext ()) {
>>>>> operation = (AxisOperation)ops.next();
>>>>> if (ops.hasNext()) {
>>>>> operation = null;
>>>>> }
>>>>> }
>>>>> msgContext.setAxisOperation (operation);
>>>>> }
>>>>>
>>>>> What it basically doing is that dispatch the operation if the
>>>> AxisService.SUPPORT_SINGLE_OP parameter is set and
>>>>> there is only one operation on it.
>>>>> Isn't this dispatcher supposed to run just after service being
>> dispatched?
>>>> i.e as the first dispatcher of the Tranport phase.
>>>>> Think about the scenario where this operation is engaged security. in
>> this
>>>> case it should dispatched before the security.
>>>>> I think any dispatcher which is possible to run before the security
>> should
>>>> run before it.
>>>>
>>>> I found this security hole and I the only option to fix it to add a
>> handler
>>>> as the last phase to dispatch
>>>> to check whether the security is applied or not.
>>>> https://issues.apache.org/jira/browse/RAMPART-127
>>>>
>>>> So we need to move this before security definitely.
>>>>
>>>>>
>>>>> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
>>>> Transport and Dispatch phases.
>>>>> Is there any reason for this? or is it an obsolete code to keep this
>> in
>>>> Dispatch phase?
>>>>> Shall I do the above changes?
>>>>>
>>>>> thanks,
>>>>> Amila.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Amila Suriarachchi,
>>>>> WSO2 Inc.
>>>>
>>>>
>>>> --
>>>> Amila Suriarachchi,
>>>> WSO2 Inc.
>>>
>>>
>>>
>>>
>>>
>>> --
>>> David Illsley - IBM Web Services Development
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
>>> For additional commands, e-mail: axis-dev-help@ws.apache.org
>>>
>>>
>>
>>
>> --
>> Amila Suriarachchi,
>> WSO2 Inc.
>
>
>
--
Sanjiva Weerawarana, Ph.D.
Founder & Director; Lanka Software Foundation; http://www.opensource.lk/
Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/
Member; Apache Software Foundation; http://www.apache.org/
Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org
Re: [Axis2] Dispatch order
Posted by Amila Suriarachchi <am...@gmail.com>.
On Dec 19, 2007 9:40 PM, David Illsley <da...@gmail.com> wrote:
> Um, presumably it should go after the RequestURIBasedDispatcher so you
> don't have to redo the service dispatch?
yes
>
> David
>
> On Dec 19, 2007 3:27 PM, Amila Suriarachchi <am...@gmail.com>
> wrote:
> >
> >
> >
> > On Dec 19, 2007 8:32 PM, David Illsley <da...@gmail.com> wrote:
> > > So what's the plan? Where are you going to move the code to?
> >
> > yes. What I thought was to get this code to a separate dispatcher and
> set
> > this dispatcher as the first
> > dispatcher in the Transport phase.
> >
> > Amila
> > >
> > >
> > >
> > >
> > > David
> > >
> > >
> > >
> > >
> > > On Dec 19, 2007 7:11 AM, Amila Suriarachchi <
> amilasuriarachchi@gmail.com>
> > wrote:
> > > >
> > > >
> > > >
> > > > On Dec 19, 2007 10:00 AM, Amila Suriarachchi
> > <amilasuriarachchi@gmail.com >
> > > > wrote:
> > > > > hi all,
> > > > >
> > > > > 1. Here is a code segment found in the
> > > > org.apache.axis2.engine.DispatchPhase
> > > > > checkPostConditions method.
> > > > >
> > > > > if (operation == null &&
> > > > > JavaUtils.isTrue(service.getParameterValue
> > > > (AxisService.SUPPORT_SINGLE_OP))) {
> > > > > Iterator ops = service.getOperations();
> > > > > // If there's exactly one, that's the one we want. If
> > there's
> > > > more, forget it.
> > > > > if (ops.hasNext ()) {
> > > > > operation = (AxisOperation)ops.next();
> > > > > if (ops.hasNext()) {
> > > > > operation = null;
> > > > > }
> > > > > }
> > > > > msgContext.setAxisOperation (operation);
> > > > > }
> > > > >
> > > > > What it basically doing is that dispatch the operation if the
> > > > AxisService.SUPPORT_SINGLE_OP parameter is set and
> > > > > there is only one operation on it.
> > > > > Isn't this dispatcher supposed to run just after service being
> > dispatched?
> > > > i.e as the first dispatcher of the Tranport phase.
> > > > >
> > > > > Think about the scenario where this operation is engaged security.
> in
> > this
> > > > case it should dispatched before the security.
> > > > >
> > > > > I think any dispatcher which is possible to run before the
> security
> > should
> > > > run before it.
> > > >
> > > > I found this security hole and I the only option to fix it to add a
> > handler
> > > > as the last phase to dispatch
> > > > to check whether the security is applied or not.
> > > > https://issues.apache.org/jira/browse/RAMPART-127
> > > >
> > > > So we need to move this before security definitely.
> > > >
> > > > >
> > > > >
> > > > > 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are
> both in
> > > > Transport and Dispatch phases.
> > > > > Is there any reason for this? or is it an obsolete code to keep
> this
> > in
> > > > Dispatch phase?
> > > > >
> > > > > Shall I do the above changes?
> > > > >
> > > > > thanks,
> > > > > Amila.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Amila Suriarachchi,
> > > > > WSO2 Inc.
> > > >
> > > >
> > > >
> > > > --
> > > > Amila Suriarachchi,
> > > > WSO2 Inc.
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > David Illsley - IBM Web Services Development
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> > > For additional commands, e-mail: axis-dev-help@ws.apache.org
> > >
> > >
> >
> >
> >
> > --
> > Amila Suriarachchi,
> > WSO2 Inc.
>
>
>
> --
> David Illsley - IBM Web Services Development
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>
--
Amila Suriarachchi,
WSO2 Inc.
Re: [Axis2] Dispatch order
Posted by David Illsley <da...@gmail.com>.
Um, presumably it should go after the RequestURIBasedDispatcher so you
don't have to redo the service dispatch?
David
On Dec 19, 2007 3:27 PM, Amila Suriarachchi <am...@gmail.com> wrote:
>
>
>
> On Dec 19, 2007 8:32 PM, David Illsley <da...@gmail.com> wrote:
> > So what's the plan? Where are you going to move the code to?
>
> yes. What I thought was to get this code to a separate dispatcher and set
> this dispatcher as the first
> dispatcher in the Transport phase.
>
> Amila
> >
> >
> >
> >
> > David
> >
> >
> >
> >
> > On Dec 19, 2007 7:11 AM, Amila Suriarachchi < amilasuriarachchi@gmail.com>
> wrote:
> > >
> > >
> > >
> > > On Dec 19, 2007 10:00 AM, Amila Suriarachchi
> <amilasuriarachchi@gmail.com >
> > > wrote:
> > > > hi all,
> > > >
> > > > 1. Here is a code segment found in the
> > > org.apache.axis2.engine.DispatchPhase
> > > > checkPostConditions method.
> > > >
> > > > if (operation == null &&
> > > > JavaUtils.isTrue(service.getParameterValue
> > > (AxisService.SUPPORT_SINGLE_OP))) {
> > > > Iterator ops = service.getOperations();
> > > > // If there's exactly one, that's the one we want. If
> there's
> > > more, forget it.
> > > > if (ops.hasNext ()) {
> > > > operation = (AxisOperation)ops.next();
> > > > if (ops.hasNext()) {
> > > > operation = null;
> > > > }
> > > > }
> > > > msgContext.setAxisOperation (operation);
> > > > }
> > > >
> > > > What it basically doing is that dispatch the operation if the
> > > AxisService.SUPPORT_SINGLE_OP parameter is set and
> > > > there is only one operation on it.
> > > > Isn't this dispatcher supposed to run just after service being
> dispatched?
> > > i.e as the first dispatcher of the Tranport phase.
> > > >
> > > > Think about the scenario where this operation is engaged security. in
> this
> > > case it should dispatched before the security.
> > > >
> > > > I think any dispatcher which is possible to run before the security
> should
> > > run before it.
> > >
> > > I found this security hole and I the only option to fix it to add a
> handler
> > > as the last phase to dispatch
> > > to check whether the security is applied or not.
> > > https://issues.apache.org/jira/browse/RAMPART-127
> > >
> > > So we need to move this before security definitely.
> > >
> > > >
> > > >
> > > > 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
> > > Transport and Dispatch phases.
> > > > Is there any reason for this? or is it an obsolete code to keep this
> in
> > > Dispatch phase?
> > > >
> > > > Shall I do the above changes?
> > > >
> > > > thanks,
> > > > Amila.
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Amila Suriarachchi,
> > > > WSO2 Inc.
> > >
> > >
> > >
> > > --
> > > Amila Suriarachchi,
> > > WSO2 Inc.
> >
> >
> >
> >
> >
> >
> > --
> > David Illsley - IBM Web Services Development
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: axis-dev-help@ws.apache.org
> >
> >
>
>
>
> --
> Amila Suriarachchi,
> WSO2 Inc.
--
David Illsley - IBM Web Services Development
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org
Re: [Axis2] Dispatch order
Posted by Amila Suriarachchi <am...@gmail.com>.
On Dec 19, 2007 8:32 PM, David Illsley <da...@gmail.com> wrote:
> So what's the plan? Where are you going to move the code to?
yes. What I thought was to get this code to a separate dispatcher and set
this dispatcher as the first
dispatcher in the Transport phase.
Amila
>
> David
>
> On Dec 19, 2007 7:11 AM, Amila Suriarachchi <am...@gmail.com>
> wrote:
> >
> >
> >
> > On Dec 19, 2007 10:00 AM, Amila Suriarachchi <
> amilasuriarachchi@gmail.com>
> > wrote:
> > > hi all,
> > >
> > > 1. Here is a code segment found in the
> > org.apache.axis2.engine.DispatchPhase
> > > checkPostConditions method.
> > >
> > > if (operation == null &&
> > > JavaUtils.isTrue(service.getParameterValue
> > (AxisService.SUPPORT_SINGLE_OP))) {
> > > Iterator ops = service.getOperations();
> > > // If there's exactly one, that's the one we want. If
> there's
> > more, forget it.
> > > if (ops.hasNext ()) {
> > > operation = (AxisOperation)ops.next();
> > > if (ops.hasNext()) {
> > > operation = null;
> > > }
> > > }
> > > msgContext.setAxisOperation (operation);
> > > }
> > >
> > > What it basically doing is that dispatch the operation if the
> > AxisService.SUPPORT_SINGLE_OP parameter is set and
> > > there is only one operation on it.
> > > Isn't this dispatcher supposed to run just after service being
> dispatched?
> > i.e as the first dispatcher of the Tranport phase.
> > >
> > > Think about the scenario where this operation is engaged security. in
> this
> > case it should dispatched before the security.
> > >
> > > I think any dispatcher which is possible to run before the security
> should
> > run before it.
> >
> > I found this security hole and I the only option to fix it to add a
> handler
> > as the last phase to dispatch
> > to check whether the security is applied or not.
> > https://issues.apache.org/jira/browse/RAMPART-127
> >
> > So we need to move this before security definitely.
> >
> > >
> > >
> > > 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
> > Transport and Dispatch phases.
> > > Is there any reason for this? or is it an obsolete code to keep this
> in
> > Dispatch phase?
> > >
> > > Shall I do the above changes?
> > >
> > > thanks,
> > > Amila.
> > >
> > >
> > >
> > >
> > > --
> > > Amila Suriarachchi,
> > > WSO2 Inc.
> >
> >
> >
> > --
> > Amila Suriarachchi,
> > WSO2 Inc.
>
>
>
> --
> David Illsley - IBM Web Services Development
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: axis-dev-help@ws.apache.org
>
>
--
Amila Suriarachchi,
WSO2 Inc.
Re: [Axis2] Dispatch order
Posted by David Illsley <da...@gmail.com>.
So what's the plan? Where are you going to move the code to?
David
On Dec 19, 2007 7:11 AM, Amila Suriarachchi <am...@gmail.com> wrote:
>
>
>
> On Dec 19, 2007 10:00 AM, Amila Suriarachchi <am...@gmail.com>
> wrote:
> > hi all,
> >
> > 1. Here is a code segment found in the
> org.apache.axis2.engine.DispatchPhase
> > checkPostConditions method.
> >
> > if (operation == null &&
> > JavaUtils.isTrue(service.getParameterValue
> (AxisService.SUPPORT_SINGLE_OP))) {
> > Iterator ops = service.getOperations();
> > // If there's exactly one, that's the one we want. If there's
> more, forget it.
> > if (ops.hasNext ()) {
> > operation = (AxisOperation)ops.next();
> > if (ops.hasNext()) {
> > operation = null;
> > }
> > }
> > msgContext.setAxisOperation (operation);
> > }
> >
> > What it basically doing is that dispatch the operation if the
> AxisService.SUPPORT_SINGLE_OP parameter is set and
> > there is only one operation on it.
> > Isn't this dispatcher supposed to run just after service being dispatched?
> i.e as the first dispatcher of the Tranport phase.
> >
> > Think about the scenario where this operation is engaged security. in this
> case it should dispatched before the security.
> >
> > I think any dispatcher which is possible to run before the security should
> run before it.
>
> I found this security hole and I the only option to fix it to add a handler
> as the last phase to dispatch
> to check whether the security is applied or not.
> https://issues.apache.org/jira/browse/RAMPART-127
>
> So we need to move this before security definitely.
>
> >
> >
> > 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
> Transport and Dispatch phases.
> > Is there any reason for this? or is it an obsolete code to keep this in
> Dispatch phase?
> >
> > Shall I do the above changes?
> >
> > thanks,
> > Amila.
> >
> >
> >
> >
> > --
> > Amila Suriarachchi,
> > WSO2 Inc.
>
>
>
> --
> Amila Suriarachchi,
> WSO2 Inc.
--
David Illsley - IBM Web Services Development
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org
Re: [Axis2] Dispatch order
Posted by Amila Suriarachchi <am...@gmail.com>.
On Dec 19, 2007 10:00 AM, Amila Suriarachchi <am...@gmail.com>
wrote:
> hi all,
>
> 1. Here is a code segment found in the
> org.apache.axis2.engine.DispatchPhase
> checkPostConditions method.
>
> if (operation == null &&
> JavaUtils.isTrue(service.getParameterValue (
> AxisService.SUPPORT_SINGLE_OP))) {
> Iterator ops = service.getOperations();
> // If there's exactly one, that's the one we want. If there's
> more, forget it.
> if (ops.hasNext ()) {
> operation = (AxisOperation)ops.next();
> if (ops.hasNext()) {
> operation = null;
> }
> }
> msgContext.setAxisOperation (operation);
> }
>
> What it basically doing is that dispatch the operation if the
> AxisService.SUPPORT_SINGLE_OP parameter is set and
> there is only one operation on it.
> Isn't this dispatcher supposed to run just after service being dispatched?
> i.e as the first dispatcher of the Tranport phase.
>
> Think about the scenario where this operation is engaged security. in this
> case it should dispatched before the security.
>
> I think any dispatcher which is possible to run before the security should
> run before it.
I found this security hole and I the only option to fix it to add a handler
as the last phase to dispatch
to check whether the security is applied or not.
https://issues.apache.org/jira/browse/RAMPART-127
So we need to move this before security definitely.
>
>
> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
> Transport and Dispatch phases.
> Is there any reason for this? or is it an obsolete code to keep this in
> Dispatch phase?
>
> Shall I do the above changes?
>
> thanks,
> Amila.
>
>
>
>
> --
> Amila Suriarachchi,
> WSO2 Inc.
--
Amila Suriarachchi,
WSO2 Inc.