You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Glen Mazza <gl...@gmail.com> on 2008/11/27 16:19:04 UTC

BusDefinitionParser not validating child elements

Question, for our BusDefinitionParser[1], we apparently do not throw an
IllegalStateException if you provide a value outside of an accepted one
("inInterceptors", "inFaultInterceptors", "outInterceptors",
"outFaultInterceptors", "features").  As the bus bean is XML Schema based,
its range of acceptable values is limited to those above.  

I think it would be good if CXF did throw an IllegalStateException if you
used a bean such as "inIntreceptors" (note misspelling).  I could imagine
*not* throwing an exception would be a security hazard, because the
developer might be thinking that his WSS4J interceptors are attached and
enforcing security, when they are actually sitting there unused because the
bean name was misspelled.  Perhaps my knowledge of the system is incomplete
though.

FYI--I've gone through several of the other parsers we have (basically,
searching on classes that have "AbstractBeanDefinitionParser" to find
them)--we are generally not validating child elements, except in some cases
where we are enforcing that certain elements have child elements.

Thoughts?

Thanks,
Glen

[1]
http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/bus/spring/BusDefinitionParser.java?revision=651669&view=markup

-- 
View this message in context: http://www.nabble.com/BusDefinitionParser-not-validating-child-elements-tp20720940p20720940.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Re: BusDefinitionParser not validating child elements

Posted by Glen Mazza <gl...@gmail.com>.

Never mind.  The SAX parser already does the schema validation, making these
additional checks unnecessary.


Glen Mazza wrote:
> 
> Question, for our BusDefinitionParser[1], we apparently do not throw an
> IllegalStateException if you provide a value outside of an accepted one
> ("inInterceptors", "inFaultInterceptors", "outInterceptors",
> "outFaultInterceptors", "features").  As the bus bean is XML Schema based,
> its range of acceptable values is limited to those above.  
> 
> I think it would be good if CXF did throw an IllegalStateException if you
> used a bean such as "inIntreceptors" (note misspelling).  I could imagine
> *not* throwing an exception would be a security hazard, because the
> developer might be thinking that his WSS4J interceptors are attached and
> enforcing security, when they are actually sitting there unused because
> the bean name was misspelled.  Perhaps my knowledge of the system is
> incomplete though.
> 
> FYI--I've gone through several of the other parsers we have (basically,
> searching on classes that have "AbstractBeanDefinitionParser" to find
> them)--we are generally not validating child elements, except in some
> cases where we are enforcing that certain elements have child elements.
> 
> Thoughts?
> 
> Thanks,
> Glen
> 
> [1]
> http://svn.apache.org/viewvc/cxf/trunk/rt/core/src/main/java/org/apache/cxf/bus/spring/BusDefinitionParser.java?revision=651669&view=markup
> 
> 

-- 
View this message in context: http://www.nabble.com/BusDefinitionParser-not-validating-child-elements-tp20720940p20722170.html
Sent from the cxf-dev mailing list archive at Nabble.com.