You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by st...@apache.org on 2002/08/15 08:59:56 UTC
cvs commit: xml-axis/java/src/org/apache/axis/transport/http AdminServlet.java AxisServlet.java AxisServletBase.java
stevel 2002/08/14 23:59:56
Modified: java/src/org/apache/axis/transport/http AdminServlet.java
AxisServlet.java AxisServletBase.java
Log:
1. refactor the getOption method into the base class
2. use that to set an isProduction flag to indicate the deployment system should be more secure.
3. admin page logs commands and their origins
4. admin page only displays/enables commands when not on a production box
5. tests written for development config; production is a TODO item. Plan woul d be to pass a setting down to the test suite, or have it work out from the initial web page.
Revision Changes Path
1.16 +50 -14 xml-axis/java/src/org/apache/axis/transport/http/AdminServlet.java
Index: AdminServlet.java
===================================================================
RCS file: /home/cvs/xml-axis/java/src/org/apache/axis/transport/http/AdminServlet.java,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- AdminServlet.java 14 Aug 2002 06:31:43 -0000 1.15
+++ AdminServlet.java 15 Aug 2002 06:59:55 -0000 1.16
@@ -60,6 +60,8 @@
import org.apache.axis.server.AxisServer;
import org.apache.axis.utils.JavaUtils;
import org.apache.axis.AxisFault;
+import org.apache.axis.components.logger.LogFactory;
+import org.apache.commons.logging.Log;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
@@ -79,30 +81,64 @@
*/
public class AdminServlet extends AxisServletBase {
+ private static Log log =
+ LogFactory.getLog(AxisServlet.class.getName());
- public void doGet(HttpServletRequest req, HttpServletResponse res)
+
+ /**
+ * handle a GET request. Commands are only valid when not in production mode
+ * @param request
+ * @param response
+ * @throws ServletException
+ * @throws IOException
+ */
+ public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
- res.setContentType("text/html");
- String str = "";
+ response.setContentType("text/html");
+ StringBuffer buffer=new StringBuffer(512);
+ buffer.append("<html><head><title>Axis</title></head><body>\n");
+ //REVISIT: what happens if there is no engine?
AxisServer server = getEngine();
- String cmd = req.getParameter("cmd");
+ //process command
+ String cmd = request.getParameter("cmd");
if (cmd != null) {
- if (cmd.equals("start"))
- server.start();
- else
- server.stop();
+ //who called?
+ String callerIP=request.getRemoteAddr();
+ if (!isProduction()) {
+ //only in dev mode do these command work
+ if (cmd.equals("start")) {
+ log.info(JavaUtils.getMessage("adminServiceStart", callerIP));
+ server.start();
+ }
+ else if (cmd.equals("stop")) {
+ log.info(JavaUtils.getMessage("adminServiceStop", callerIP));
+ server.stop();
+ }
+ } else {
+ //in production we log a hostile probe. Remember: logs can be
+ //used for DoS attacks themselves.
+ log.info(JavaUtils.getMessage("adminServiceDeny", callerIP));
+ }
}
+ // display status
if (server.isRunning()) {
- str += JavaUtils.getMessage("serverRun00");
+ buffer.append(JavaUtils.getMessage("serverRun00"));
}
else {
- str += JavaUtils.getMessage("serverStop00");
+ buffer.append(JavaUtils.getMessage("serverStop00"));
+ }
+ //add commands
+ if(!isProduction()) {
+ buffer.append("<p><a href=\"AdminServlet?cmd=start\">start server</a>\n");
+ buffer.append("<p><a href=\"AdminServlet?cmd=stop\">stop server</a>\n");
}
- str += "<p><a href=\"AdminServlet?cmd=start\">start server</a>";
- str += "<p><a href=\"AdminServlet?cmd=stop\">stop server</a>";
- str += "<p>Current Load = "+getLoadCounter();
- res.getWriter().println( str );
+ //print load
+ buffer.append("<p>");
+ buffer.append(JavaUtils.getMessage("adminServiceLoad",
+ Integer.toString(getLoadCounter())));
+ buffer.append("\n</body></html>\n");
+ response.getWriter().print( new String(buffer) );
}
}
1.135 +6 -23 xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java
Index: AxisServlet.java
===================================================================
RCS file: /home/cvs/xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java,v
retrieving revision 1.134
retrieving revision 1.135
diff -u -r1.134 -r1.135
--- AxisServlet.java 14 Aug 2002 06:31:43 -0000 1.134
+++ AxisServlet.java 15 Aug 2002 06:59:55 -0000 1.135
@@ -103,6 +103,10 @@
public class AxisServlet extends AxisServletBase {
protected static Log log =
LogFactory.getLog(AxisServlet.class.getName());
+
+ /**
+ * this log is for timing
+ */
private static Log tlog =
LogFactory.getLog("org.apache.axis.TIME");
@@ -123,7 +127,8 @@
private ServletSecurityProvider securityProvider = null;
/**
- * cache of logging debug option; only evaluated at init time
+ * cache of logging debug option; only evaluated at init time.
+ * So no dynamic switching of logging options with this servlet.
*/
private static boolean isDebug = false;
@@ -784,28 +789,6 @@
soapAction = req.getContextPath(); // Is this right?
return soapAction;
- }
-
- /**
- * Retrieve option, in order of precedence:
- * (Managed) System property (see discovery.ManagedProperty),
- * servlet init param, context init param.
- * Use of system properties is discouraged in production environments,
- * as it overrides everything else.
- */
- private String getOption(ServletContext context,
- String param,
- String dephault)
- {
- String value = AxisProperties.getProperty(param);
-
- if (value == null)
- value = getInitParameter(param);
-
- if (value == null)
- value = context.getInitParameter(param);
-
- return (value != null) ? value : dephault;
}
/**
1.11 +47 -5 xml-axis/java/src/org/apache/axis/transport/http/AxisServletBase.java
Index: AxisServletBase.java
===================================================================
RCS file: /home/cvs/xml-axis/java/src/org/apache/axis/transport/http/AxisServletBase.java,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- AxisServletBase.java 14 Aug 2002 06:18:13 -0000 1.10
+++ AxisServletBase.java 15 Aug 2002 06:59:55 -0000 1.11
@@ -55,9 +55,8 @@
package org.apache.axis.transport.http;
-import org.apache.axis.AxisFault;
-import org.apache.axis.AxisEngine;
-import org.apache.axis.EngineConfiguration;
+import org.apache.axis.*;
+import org.apache.axis.utils.JavaUtils;
import org.apache.axis.configuration.ServletEngineConfigurationFactory;
import org.apache.axis.server.AxisServer;
@@ -121,6 +120,17 @@
*/
private String homeDir = null;
+ /**
+ * flag set to true for a 'production' server
+ */
+ private boolean isProduction;
+
+ /**
+ * property name for a production server
+ */
+ private static final String INIT_PROPERTY_PRODUCTION_SYSTEM=
+ "axis.production-system";
+
/**
* our initialize routine; subclasses should call this if they override it
@@ -131,8 +141,10 @@
webInfPath = context.getRealPath("/WEB-INF");
homeDir = context.getRealPath("/");
- isDebug= log.isDebugEnabled();
- if(isDebug) log.debug("In AxisServletBase init");
+ isDebug = log.isDebugEnabled();
+ if(log.isDebugEnabled()) log.debug("In AxisServletBase init");
+ isProduction= JavaUtils.isTrueExplicitly(getOption(context,
+ INIT_PROPERTY_PRODUCTION_SYSTEM, null));
}
@@ -365,6 +377,36 @@
*/
protected String getHomeDir() {
return homeDir;
+ }
+
+ /**
+ * Retrieve option, in order of precedence:
+ * (Managed) System property (see discovery.ManagedProperty),
+ * servlet init param, context init param.
+ * Use of system properties is discouraged in production environments,
+ * as it overrides everything else.
+ */
+ protected String getOption(ServletContext context,
+ String param,
+ String dephault)
+ {
+ String value = AxisProperties.getProperty(param);
+
+ if (value == null)
+ value = getInitParameter(param);
+
+ if (value == null)
+ value = context.getInitParameter(param);
+
+ return (value != null) ? value : dephault;
+ }
+
+ /**
+ * probe for the system being 'production'
+ * @return true for a secure/robust system.
+ */
+ public boolean isProduction() {
+ return isProduction;
}
}