Just documenting some of my findings about the BlazeDS proxy module. The HTTProxyService class is compiled into flex-messaging-proxy.jar. BlazeDS may be configured to use HTTProxyService in services-config.xml, like this:
<service id="proxy-service" class="flex.messaging.services.HTTPProxyService"> If flex-messaging-proxy.jar is missing, and an HTTPProxyService is configured in services-config.xml, the following exception will be thrown: flex.messaging.MessageException: Cannot create class of type 'flex.messaging.services.HTTPProxyService'. Type 'flex.messaging.services.HTTPProxyService' not found. However, exposing an HTTPProxyService is not required by BlazeDS. If there is no HTTPProxyService configured, and flex-messaging-proxy.jar is not available on the classpath, then other services (such as RemotingService and MessageService) seem to continue to work correctly. I basically only needed to comment out the <service> element for HTTPProxyService in services-config.xml, and the other services started working again. I have no idea how common it is to use HTTPProxyService in real-world production servers. Hopefully, it's not very likely, and removing it will have little impact. As noted above, my tests seem to indicate that it's technically possible to remove the proxy module, and BlazeDS will still be functional for other service types. I think we'll need to include three things in the release notes about this removal: 1) That flex-messaging-proxy.jar and the HTTPProxyService are removed. 2) The full text of the exception that gets thrown when services-config.xml references HTTPProxyService. 3) Instructions on how to disable HTTPProxyService in services-config.xml. - Josh On 2023/01/10 00:03:04 Josh Tynjala wrote: > Okay, some updates on my progress with BlazeDS. > > - I made the necessary changes to remove the vulnerable xalan dependency. > - I looked at the proxy module issue, where we need to replace the obsolete > commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It > seems to be non-trivial to upgrade. I'm not sure that we have much test > coverage either, so there would be a certain amount of risk. I can see why > Piotr said that we should exclude the proxy module from the release instead. > I want to do a little bit of testing/investigation to see how much impact > removing the proxy module might have. > - I moved the OWASP dependency checker into a 'with-owasp' profile. We don't > want that being a default part of the build because a failing build will be > confusing for users that want to build from source, if any new CVEs are > issued in the future. It should be mainly for our CI and release managers > instead. It can be enabled by adding `-P with-owasp` to the `mvn install` > command. > - I replaced the 'flex-ci-build' profile with a new 'with-distribution' > profile. It builds not only the source distribution, but also a **new** > binary distribution, which we didn't have before. The binary distribution is > identical to the source distribution, except that it also has a 'lib' > directory that contains all of the built .jar files and their required > dependencies. > - I merged everything from security-updates into develop. I'll continue any > further work on develop. > > Folks, I need help with one thing: Do we have release manager > instructions/checklist for BlazeDS? Thanks! > > - Josh > > On 2023/01/04 20:59:29 Josh Tynjala wrote: > > I'd like to spend some time this month finishing up the recent BlazeDS > > stuff so that we can get it released. > > > > Can someone confirm that the changes listed here are still what should be > > done? It looks straightforward enough. > > > > https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn > > > > And which branch should I commit to? security-updates? develop? master? > > Something else? > > > > Thanks, > > > > -- > > Josh Tynjala > > Bowler Hat LLC <https://bowlerhat.dev> > > >
