Author: ashishjain
Date: Thu Jun 10 08:45:57 2010
New Revision: 953250
URL: http://svn.apache.org/viewvc?rev=953250&view=rev
Log:
GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
Added:
geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
geronimo/server/branches/2.1/repository/org/apache/ws/
geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
geronimo/server/branches/2.1/repository/org/apache/ws/commons/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
(with props)
geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt (with
props)
Modified:
geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
Modified: geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
==============================================================================
--- geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
(original)
+++ geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT Thu Jun
10 08:45:57 2010
@@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
How to build Axis2 1.3-G20090406:
---------------------------------
Checkout the Axis2 1.3 tag
- svn co http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
axis2-1.3
+ svn co http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
Apply the patches
@@ -14,6 +14,7 @@ Apply the patches
patch -p0 -i metadata.patch
patch -p0 -i jaxws.patch
patch -p0 -i kernel.patch
+ patch -p0 -i builder.patch
Build Axis2 1.3
---------------
@@ -32,6 +33,7 @@ Patch Information
metadata.patch - contains fixes for SEI with overloaded methods
jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations
kernel.patch - contains fixes for AXIS2-4279
+ builder.patch - contains fixes for AXIS2-4450
Copy patched jar files to appropriate locations
-----------------------------------------------
Modified:
geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
==============================================================================
Binary files - no diff available.
Added: geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
==============================================================================
--- geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
(added)
+++ geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch Thu
Jun 10 08:45:57 2010
@@ -0,0 +1,132 @@
+Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
+===================================================================
+--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
(revision 952555)
++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
(working copy)
+@@ -192,9 +192,9 @@
+ public static StAXBuilder getPOXBuilder(InputStream inStream, String
charSetEnc)
+ throws XMLStreamException {
+ StAXBuilder builder;
+- XMLStreamReader xmlreader =
+- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
+- builder = new StAXOMBuilder(xmlreader);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
++ builder = new StAXOMBuilder(xmlReader);
++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
+ return builder;
+ }
+
+@@ -374,7 +374,7 @@
+ PushbackInputStream pis =
getPushbackInputStream(attachments.getSOAPPartInputStream());
+ String actualCharSetEncoding = getCharSetEncoding(pis,
charSetEncoding);
+
+- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
++ streamReader = StAXUtils.createSecureXMLStreamReader(pis,
actualCharSetEncoding);
+ } catch (IOException e) {
+ throw new XMLStreamException(e);
+ }
+@@ -414,13 +414,16 @@
+ XOPAwareStAXOMBuilder stAXOMBuilder = new
XOPAwareStAXOMBuilder(
+ streamReader, attachments);
+ builder = stAXOMBuilder;
++ ((XOPAwareStAXOMBuilder) builder).setAllowDTDandPI(false);
+
+ } else if (attachments.getAttachmentSpecType().equals(
+ MTOMConstants.SWA_TYPE)) {
+ builder = new StAXOMBuilder(streamReader);
++ ((XOPAwareStAXOMBuilder) builder).setAllowDTDandPI(false);
+ } else if (attachments.getAttachmentSpecType().equals(
+ MTOMConstants.SWA_TYPE_12)) {
+ builder = new StAXOMBuilder(streamReader);
++ ((XOPAwareStAXOMBuilder) builder).setAllowDTDandPI(false);
+ }
+ }
+
+@@ -531,8 +534,8 @@
+ * @deprecated If some one really need this method, please shout.
+ */
+ public static StAXBuilder getBuilder(Reader in) throws XMLStreamException
{
+- XMLStreamReader xmlreader = StAXUtils.createXMLStreamReader(in);
+- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader, null);
++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(in);
++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader, null);
+ return builder;
+ }
+
+@@ -544,8 +547,10 @@
+ * @throws XMLStreamException
+ */
+ public static StAXBuilder getBuilder(InputStream inStream) throws
XMLStreamException {
+- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream);
+- return new StAXOMBuilder(xmlReader);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream);
++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
++ return builder;
+ }
+
+ /**
+@@ -558,7 +563,7 @@
+ */
+ public static StAXBuilder getBuilder(InputStream inStream, String
charSetEnc)
+ throws XMLStreamException {
+- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream,
charSetEnc);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
+ try {
+ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
+ return builder;
+@@ -580,7 +585,7 @@
+ * @throws XMLStreamException
+ */
+ public static StAXBuilder getSOAPBuilder(InputStream inStream) throws
XMLStreamException {
+- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream);
+ try {
+ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
+ return builder;
+@@ -604,7 +609,7 @@
+ */
+ public static StAXBuilder getSOAPBuilder(InputStream inStream, String
charSetEnc)
+ throws XMLStreamException {
+- XMLStreamReader xmlReader = StAXUtils.createXMLStreamReader(inStream,
charSetEnc);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
+ try {
+ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
+ return builder;
+@@ -621,8 +626,9 @@
+ public static StAXBuilder getBuilder(SOAPFactory soapFactory, InputStream
in, String charSetEnc)
+ throws XMLStreamException {
+ StAXBuilder builder;
+- XMLStreamReader xmlreader = StAXUtils.createXMLStreamReader(in,
charSetEnc);
+- builder = new StAXOMBuilder(soapFactory, xmlreader);
++ XMLStreamReader xmlReader = StAXUtils.createSecureXMLStreamReader(in,
charSetEnc);
++ builder = new StAXOMBuilder(soapFactory, xmlReader);
++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
+ return builder;
+ }
+
+Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
+===================================================================
+--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
(revision 952555)
++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
(working copy)
+@@ -51,7 +51,7 @@
+ String actualCharSetEncoding =
BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
+
+ // Get the XMLStreamReader for this input stream
+- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
++ streamReader= StAXUtils.createSecureXMLStreamReader(pis,
actualCharSetEncoding);
+ StAXBuilder builder = new MTOMStAXSOAPModelBuilder(streamReader,
+ attachments);
+ SOAPEnvelope envelope = (SOAPEnvelope)
builder.getDocumentElement();
+Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
+===================================================================
+--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
(revision 952555)
++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
(working copy)
+@@ -48,7 +48,7 @@
+ String actualCharSetEncoding =
BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
+
+ // Get the XMLStreamReader for this input stream
+- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
++ streamReader = StAXUtils.createSecureXMLStreamReader(pis,
actualCharSetEncoding);
+
+ StAXBuilder builder = new StAXSOAPModelBuilder(streamReader);
+ SOAPEnvelope envelope = (SOAPEnvelope)
builder.getDocumentElement();
Added: geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
==============================================================================
--- geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
(added)
+++ geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch Thu
Jun 10 08:45:57 2010
@@ -0,0 +1,267 @@
+Index:
modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
+===================================================================
+---
modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
(revision 949978)
++++
modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
(working copy)
+@@ -52,6 +52,7 @@
+ private static final Log log = LogFactory.getLog(StAXOMBuilder.class);
+ private boolean doTrace = log.isDebugEnabled();
+ private static int nsCount = 0;
++ boolean allowDTDandPI = true;
+
+ /**
+ * Constructor StAXOMBuilder.
+@@ -309,6 +310,9 @@
+ * @throws OMException
+ */
+ protected OMNode createDTD() throws OMException {
++ if (!allowDTDandPI) {
++ throw new OMException("Inbound message MUST NOT contain a Document
Type Declaration(DTD)");
++ }
+ if (!parser.hasText())
+ return null;
+ lastNode = omfactory.createOMDocType(document, parser.getText());
+@@ -322,6 +326,9 @@
+ * @throws OMException
+ */
+ protected OMNode createPI() throws OMException {
++ if (!allowDTDandPI) {
++ throw new OMException("Inbound message MUST NOT contain Processing
Instructions(PI)");
++ }
+ OMNode node;
+ String target = parser.getPITarget();
+ String data = parser.getPIData();
+@@ -337,6 +344,20 @@
+ return node;
+ }
+
++
++ /**
++ * @return true if Document Type Definitions and Processing Instructions
are allowed
++ */
++ public boolean isAllowDTDandPI() {
++ return allowDTDandPI;
++ }
++
++ /**
++ * @param allowDTDandPI boolean
++ */
++ public void setAllowDTDandPI(boolean allowDTDandPI) {
++ this.allowDTDandPI = allowDTDandPI;
++ }
+ protected void endElement() {
+ if (lastNode.isComplete()) {
+ OMNodeEx parent = (OMNodeEx) lastNode.getParent();
+Index:
modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
+===================================================================
+---
modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
(revision 0)
++++
modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
(revision 0)
+@@ -0,0 +1,47 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++package org.apache.axiom.om.util;
++
++import javax.xml.stream.XMLResolver;
++import javax.xml.stream.XMLStreamException;
++
++import org.apache.commons.logging.Log;
++import org.apache.commons.logging.LogFactory;
++
++/**
++ * This XMLResolver is used whenever a secure XMLStreamReader
++ * is needed. Basically it thows an exception if an attempt
++ * is made to read an entity.
++ */
++public final class SecureXMLResolver implements XMLResolver {
++
++ private static Log log = LogFactory.getLog(SecureXMLResolver.class);
++ public Object resolveEntity(String arg0, String arg1, String arg2,
++ String arg3) throws XMLStreamException {
++ // Note Scheu:
++ // Do not expose the name of the entity that was attempted to be
++ // read as this will reveal secure information to the client.
++ if (log.isDebugEnabled()) {
++ log.debug("resolveEntity is disabled because this is a secure
XMLStreamReader(" +
++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" + arg3 +
")");
++ }
++ throw new XMLStreamException("Reading external entities is disabled");
++ }
++
++}
+\ No newline at end of file
+
+Property changes on:
modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
+___________________________________________________________________
+Name: svn:mime-type
+ + text/plain
+Name: svn:keywords
+ + Date Revision
+Name: svn:eol-style
+ + native
+
+Index: modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
+===================================================================
+--- modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
(revision 949978)
++++ modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
(working copy)
+@@ -113,6 +113,39 @@
+ }
+ });
+
++ private static final Pool secureXmlInputFactoryPool =
++ new Pool(new ObjectCreator[] { new ObjectCreator() {
++ public Object newObject() {
++ return AccessController.doPrivileged(new PrivilegedAction() {
++ public Object run() {
++ // return
XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
StAXUtils.class.getClassLoader());
++ // TODO: Refactor this code when the FactoryFinder.class in XLXP
fixed and used instead of the Axis2-bundle version
++ // Try to simulate the above to create XMLInputFactory using the
specific classloader
++ // This it not quite the same since it will modify the classloader for
all classes
++ Thread currentThread = Thread.currentThread();
++ ClassLoader savedClassLoader = currentThread.getContextClassLoader();
++ XMLInputFactory factory = null;
++ try {
++
currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
++ factory = XMLInputFactory.newInstance();
++
++ // The following setting disabled external entities...which is a
requirement
++ // for network xml reading.
++ setSecureProperties(factory);
++ } finally {
++ currentThread.setContextClassLoader(savedClassLoader);
++ }
++ return factory;
++ }
++ });
++ }
++ }, new ObjectCreator() {
++ public Object newObject() {
++ return XMLInputFactory.newInstance();
++ }
++ } });
++
++
+ private static final Pool xmlOutputFactoryPool = new Pool(new
ObjectCreator[] {
+ new ObjectCreator() {
+ public Object newObject() {
+@@ -144,6 +177,106 @@
+ }
+ }
+ });
++
++ /**
++ * Gets an XMLInputFactory instance from pool.
++ *
++ * @return an XMLInputFactory instance.
++ */
++ private static XMLInputFactory getSecureXMLInputFactory() {
++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
++ }
++
++ /**
++ * Returns an XMLInputFactory instance for reuse.
++ *
++ * @param factory An XMLInputFactory instance that is available for reuse
++ */
++ private static void releaseSecureXMLInputFactory(XMLInputFactory factory)
{
++ secureXmlInputFactoryPool.releaseInstance(factory);
++ }
++
++ /**
++ * Create an XMLStreamReader that will be used to read a stream for
++ * an incoming message. We need to use more restrictive "secure"
properties
++ * to ensure against attacks.
++ * @param in
++ * @param encoding
++ * @return
++ * @throws XMLStreamException
++ */
++ public static XMLStreamReader createSecureXMLStreamReader(InputStream in,
String encoding)
++ throws XMLStreamException {
++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
++ try {
++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in, encoding);
++ if (isDebugEnabled) {
++ log.debug("XMLStreamReader is " + reader.getClass().getName());
++ }
++ return reader;
++ } finally {
++ releaseSecureXMLInputFactory(inputFactory);
++ }
++ }
++
++ /**
++ * Create an XMLStreamReader that will be used to read a stream for
++ * an incoming message. We need to use more restrictive "secure"
properties
++ * to ensure against attacks.
++ * @param in
++ * @return
++ * @throws XMLStreamException
++ */
++ public static XMLStreamReader createSecureXMLStreamReader(InputStream
in) throws XMLStreamException {
++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
++ try {
++ XMLStreamReader reader =
inputFactory.createXMLStreamReader(in);
++ if (isDebugEnabled) {
++ log.debug("XMLStreamReader is " +
reader.getClass().getName());
++ }
++ return reader;
++ } finally {
++ releaseSecureXMLInputFactory(inputFactory);
++ }
++ }
++
++ /**
++ * Create an XMLStreamReader that will be used to read a stream for
++ * an incoming message. We need to use more restrictive "secure"
properties
++ * to ensure against attacks.
++ *
++ * @param in
++ * @return
++ * @throws XMLStreamException
++ */
++ public static XMLStreamReader createSecureXMLStreamReader(Reader in)
throws XMLStreamException {
++ XMLInputFactory inputFactory = getXMLInputFactory();
++ try {
++ XMLStreamReader reader =
inputFactory.createXMLStreamReader(in);
++ if (isDebugEnabled) {
++ log.debug("XMLStreamReader is " +
reader.getClass().getName());
++ }
++ return reader;
++ } finally {
++ releaseSecureXMLInputFactory(inputFactory);
++ }
++ }
++
++ private static void setSecureProperties(XMLInputFactory f) {
++ // The goal is to prevent tampering of the message
++ // by external entities or denial of service
++ // replacing entities.
++ // Setting the following properties ensures this goal
++
f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
++ Boolean.FALSE);
++
f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
++ Boolean.FALSE);
++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
++ Boolean.FALSE);
++ f.setXMLResolver(new SecureXMLResolver());
++ }
++
++
+
+
+ private static Log log = LogFactory.getLog(StAXUtils.class);
Added:
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
------------------------------------------------------------------------------
svn:mime-type = application/java-archive
Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
==============================================================================
--- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt (added)
+++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt Thu Jun 10
08:45:57 2010
@@ -0,0 +1,30 @@
+Private Build of Axiom 1.2.5 for Geronimo.
+
+How to build Axiom 1.2.5
+---------------------------------
+ Checkout the Axiom 1.2.5 tag
+ svn co http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
+
+
+Apply the patch
+-----------------
+ cd 1_2_5
+ patch -p0 -i axiom_api.patch
+
+Build Axiom 1.2.5
+---------------
+ cd 1_2_5
+ mvn install
+
+Notes:
+ - Use Sun 1.5.x and Maven 2.0.9 build.
+
+
+Patch Information
+-----------------
+ axiom_api.patch - contains fixes for AXIS2-4450
+
+Copy patched jar files to appropriate locations
+-----------------------------------------------
+ cd 1_2_5
+ cp
modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
\ No newline at end of file
Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain
