Author: ashishjain
Date: Thu Jun 10 08:45:57 2010
New Revision: 953250
URL: http://svn.apache.org/viewvc?rev=953250&view=rev
Log:
GERONIMO-5379 Fixes for geronimo custom AXIS2 for 2.1 branch
Added:
geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
geronimo/server/branches/2.1/repository/org/apache/ws/
geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
geronimo/server/branches/2.1/repository/org/apache/ws/commons/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
(with props)
geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
(with props)
Modified:
geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
Modified:
geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT?rev=953250&r1=953249&r2=953250&view=diff
==============================================================================
---
geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
(original)
+++
geronimo/server/branches/2.1/repository/org/apache/axis2/README.TXT
Thu Jun 10 08:45:57 2010
@@ -3,7 +3,7 @@ Private Build of Axis2 1.3 for Geronimo.
How to build Axis2 1.3-G20090406:
---------------------------------
Checkout the Axis2 1.3 tag
- svn co
http://svn.apache.org/repos/asf/webservices/axis2/tags/java/v1.3/
axis2-1.3
+ svn co
http://svn.apache.org/repos/asf/axis/axis2/java/core/tags/java/v1.3
Apply the patches
@@ -14,6 +14,7 @@ Apply the patches
patch -p0 -i metadata.patch
patch -p0 -i jaxws.patch
patch -p0 -i kernel.patch
+ patch -p0 -i builder.patch
Build Axis2 1.3
---------------
@@ -32,6 +33,7 @@ Patch Information
metadata.patch - contains fixes for SEI with overloaded methods
jaxws.patch - contains fixes for AXIS2-3343 and RESTful invocations
kernel.patch - contains fixes for AXIS2-4279
+ builder.patch - contains fixes for AXIS2-4450
Copy patched jar files to appropriate locations
-----------------------------------------------
Modified:
geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/axis2-kernel/1.3-G20090406/axis2-kernel-1.3-G20090406.jar?rev=953250&r1=953249&r2=953250&view=diff
==============================================================================
Binary files - no diff available.
Added:
geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch?rev=953250&view=auto
==============================================================================
---
geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
(added)
+++
geronimo/server/branches/2.1/repository/org/apache/axis2/builder.patch
Thu Jun 10 08:45:57 2010
@@ -0,0 +1,132 @@
+Index: modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
+===================================================================
+--- modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
(revision 952555)
++++ modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
(working copy)
+@@ -192,9 +192,9 @@
+ public static StAXBuilder getPOXBuilder(InputStream inStream,
String charSetEnc)
+ throws XMLStreamException {
+ StAXBuilder builder;
+- XMLStreamReader xmlreader =
+- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
+- builder = new StAXOMBuilder(xmlreader);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
++ builder = new StAXOMBuilder(xmlReader);
++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
+ return builder;
+ }
+
+@@ -374,7 +374,7 @@
+ PushbackInputStream pis =
getPushbackInputStream(attachments.getSOAPPartInputStream());
+ String actualCharSetEncoding = getCharSetEncoding(pis,
charSetEncoding);
+
+- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
++ streamReader =
StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
+ } catch (IOException e) {
+ throw new XMLStreamException(e);
+ }
+@@ -414,13 +414,16 @@
+ XOPAwareStAXOMBuilder stAXOMBuilder = new
XOPAwareStAXOMBuilder(
+ streamReader, attachments);
+ builder = stAXOMBuilder;
++ ((XOPAwareStAXOMBuilder)
builder).setAllowDTDandPI(false);
+
+ } else if (attachments.getAttachmentSpecType().equals(
+ MTOMConstants.SWA_TYPE)) {
+ builder = new StAXOMBuilder(streamReader);
++ ((XOPAwareStAXOMBuilder)
builder).setAllowDTDandPI(false);
+ } else if (attachments.getAttachmentSpecType().equals(
+ MTOMConstants.SWA_TYPE_12)) {
+ builder = new StAXOMBuilder(streamReader);
++ ((XOPAwareStAXOMBuilder)
builder).setAllowDTDandPI(false);
+ }
+ }
+
+@@ -531,8 +534,8 @@
+ * @deprecated If some one really need this method, please shout.
+ */
+ public static StAXBuilder getBuilder(Reader in) throws
XMLStreamException {
+- XMLStreamReader xmlreader =
StAXUtils.createXMLStreamReader(in);
+- StAXBuilder builder = new StAXSOAPModelBuilder(xmlreader,
null);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(in);
++ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader,
null);
+ return builder;
+ }
+
+@@ -544,8 +547,10 @@
+ * @throws XMLStreamException
+ */
+ public static StAXBuilder getBuilder(InputStream inStream)
throws XMLStreamException {
+- XMLStreamReader xmlReader =
StAXUtils.createXMLStreamReader(inStream);
+- return new StAXOMBuilder(xmlReader);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream);
++ StAXBuilder builder = new StAXOMBuilder(xmlReader);
++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
++ return builder;
+ }
+
+ /**
+@@ -558,7 +563,7 @@
+ */
+ public static StAXBuilder getBuilder(InputStream inStream,
String charSetEnc)
+ throws XMLStreamException {
+- XMLStreamReader xmlReader =
StAXUtils.createXMLStreamReader(inStream, charSetEnc);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
+ try {
+ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
+ return builder;
+@@ -580,7 +585,7 @@
+ * @throws XMLStreamException
+ */
+ public static StAXBuilder getSOAPBuilder(InputStream inStream)
throws XMLStreamException {
+- XMLStreamReader xmlReader =
StAXUtils.createXMLStreamReader(inStream);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream);
+ try {
+ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
+ return builder;
+@@ -604,7 +609,7 @@
+ */
+ public static StAXBuilder getSOAPBuilder(InputStream inStream,
String charSetEnc)
+ throws XMLStreamException {
+- XMLStreamReader xmlReader =
StAXUtils.createXMLStreamReader(inStream, charSetEnc);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(inStream, charSetEnc);
+ try {
+ StAXBuilder builder = new StAXSOAPModelBuilder(xmlReader);
+ return builder;
+@@ -621,8 +626,9 @@
+ public static StAXBuilder getBuilder(SOAPFactory soapFactory,
InputStream in, String charSetEnc)
+ throws XMLStreamException {
+ StAXBuilder builder;
+- XMLStreamReader xmlreader =
StAXUtils.createXMLStreamReader(in, charSetEnc);
+- builder = new StAXOMBuilder(soapFactory, xmlreader);
++ XMLStreamReader xmlReader =
StAXUtils.createSecureXMLStreamReader(in, charSetEnc);
++ builder = new StAXOMBuilder(soapFactory, xmlReader);
++ ((StAXOMBuilder) builder).setAllowDTDandPI(false);
+ return builder;
+ }
+
+Index: modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
+===================================================================
+--- modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
(revision 952555)
++++ modules/kernel/src/org/apache/axis2/builder/MTOMBuilder.java
(working copy)
+@@ -51,7 +51,7 @@
+ String actualCharSetEncoding =
BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
+
+ // Get the XMLStreamReader for this input stream
+- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
++ streamReader= StAXUtils.createSecureXMLStreamReader(pis,
actualCharSetEncoding);
+ StAXBuilder builder = new
MTOMStAXSOAPModelBuilder(streamReader,
+ attachments);
+ SOAPEnvelope envelope = (SOAPEnvelope)
builder.getDocumentElement();
+Index: modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
+===================================================================
+--- modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
(revision 952555)
++++ modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
(working copy)
+@@ -48,7 +48,7 @@
+ String actualCharSetEncoding =
BuilderUtil.getCharSetEncoding(pis, charSetEncoding);
+
+ // Get the XMLStreamReader for this input stream
+- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
++ streamReader =
StAXUtils.createSecureXMLStreamReader(pis, actualCharSetEncoding);
+
+ StAXBuilder builder = new
StAXSOAPModelBuilder(streamReader);
+ SOAPEnvelope envelope = (SOAPEnvelope)
builder.getDocumentElement();
Added:
geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch?rev=953250&view=auto
==============================================================================
---
geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
(added)
+++
geronimo/server/branches/2.1/repository/org/apache/ws/axiom_api.patch
Thu Jun 10 08:45:57 2010
@@ -0,0 +1,267 @@
+Index:
modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
+===================================================================
+---
modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
(revision 949978)
++++
modules/axiom-api/src/main/java/org/apache/axiom/om/impl/builder/StAXOMBuilder.java
(working copy)
+@@ -52,6 +52,7 @@
+ private static final Log log =
LogFactory.getLog(StAXOMBuilder.class);
+ private boolean doTrace = log.isDebugEnabled();
+ private static int nsCount = 0;
++ boolean allowDTDandPI = true;
+
+ /**
+ * Constructor StAXOMBuilder.
+@@ -309,6 +310,9 @@
+ * @throws OMException
+ */
+ protected OMNode createDTD() throws OMException {
++ if (!allowDTDandPI) {
++ throw new OMException("Inbound message MUST NOT contain
a Document Type Declaration(DTD)");
++ }
+ if (!parser.hasText())
+ return null;
+ lastNode = omfactory.createOMDocType(document,
parser.getText());
+@@ -322,6 +326,9 @@
+ * @throws OMException
+ */
+ protected OMNode createPI() throws OMException {
++ if (!allowDTDandPI) {
++ throw new OMException("Inbound message MUST NOT contain
Processing Instructions(PI)");
++ }
+ OMNode node;
+ String target = parser.getPITarget();
+ String data = parser.getPIData();
+@@ -337,6 +344,20 @@
+ return node;
+ }
+
++
++ /**
++ * @return true if Document Type Definitions and Processing
Instructions are allowed
++ */
++ public boolean isAllowDTDandPI() {
++ return allowDTDandPI;
++ }
++
++ /**
++ * @param allowDTDandPI boolean
++ */
++ public void setAllowDTDandPI(boolean allowDTDandPI) {
++ this.allowDTDandPI = allowDTDandPI;
++ }
+ protected void endElement() {
+ if (lastNode.isComplete()) {
+ OMNodeEx parent = (OMNodeEx) lastNode.getParent();
+Index:
modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
+===================================================================
+---
modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
(revision 0)
++++
modules/axiom-api/src/main/java/org/apache/axiom/om/util/SecureXMLResolver.java
(revision 0)
+@@ -0,0 +1,47 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++package org.apache.axiom.om.util;
++
++import javax.xml.stream.XMLResolver;
++import javax.xml.stream.XMLStreamException;
++
++import org.apache.commons.logging.Log;
++import org.apache.commons.logging.LogFactory;
++
++/**
++ * This XMLResolver is used whenever a secure XMLStreamReader
++ * is needed. Basically it thows an exception if an attempt
++ * is made to read an entity.
++ */
++public final class SecureXMLResolver implements XMLResolver {
++
++ private static Log log =
LogFactory.getLog(SecureXMLResolver.class);
++ public Object resolveEntity(String arg0, String arg1, String arg2,
++ String arg3) throws XMLStreamException {
++ // Note Scheu:
++ // Do not expose the name of the entity that was attempted
to be
++ // read as this will reveal secure information to the client.
++ if (log.isDebugEnabled()) {
++ log.debug("resolveEntity is disabled because this is a
secure XMLStreamReader(" +
++ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" +
arg3 + ")");
++ }
++ throw new XMLStreamException("Reading external entities is
disabled");
++ }
++
++}
+\ No newline at end of file
+
+Property changes on:
modules\axiom-api\src\main\java\org\apache\axiom\om\util\SecureXMLResolver.java
+___________________________________________________________________
+Name: svn:mime-type
+ + text/plain
+Name: svn:keywords
+ + Date Revision
+Name: svn:eol-style
+ + native
+
+Index:
modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
+===================================================================
+---
modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
(revision 949978)
++++
modules/axiom-api/src/main/java/org/apache/axiom/om/util/StAXUtils.java
(working copy)
+@@ -113,6 +113,39 @@
+ }
+ });
+
++ private static final Pool secureXmlInputFactoryPool =
++ new Pool(new ObjectCreator[] { new ObjectCreator() {
++ public Object newObject() {
++ return AccessController.doPrivileged(new PrivilegedAction() {
++ public Object run() {
++ // return
XMLInputFactory.newInstance("javax.xml.stream.XMLInputFactory",
StAXUtils.class.getClassLoader());
++ // TODO: Refactor this code when the FactoryFinder.class in
XLXP fixed and used instead of the Axis2-bundle version
++ // Try to simulate the above to create XMLInputFactory using
the specific classloader
++ // This it not quite the same since it will modify the
classloader for all classes
++ Thread currentThread = Thread.currentThread();
++ ClassLoader savedClassLoader =
currentThread.getContextClassLoader();
++ XMLInputFactory factory = null;
++ try {
++
currentThread.setContextClassLoader(StAXUtils.class.getClassLoader());
++ factory = XMLInputFactory.newInstance();
++
++ // The following setting disabled external entities...which
is a requirement
++ // for network xml reading.
++ setSecureProperties(factory);
++ } finally {
++ currentThread.setContextClassLoader(savedClassLoader);
++ }
++ return factory;
++ }
++ });
++ }
++ }, new ObjectCreator() {
++ public Object newObject() {
++ return XMLInputFactory.newInstance();
++ }
++ } });
++
++
+ private static final Pool xmlOutputFactoryPool = new Pool(new
ObjectCreator[] {
+ new ObjectCreator() {
+ public Object newObject() {
+@@ -144,6 +177,106 @@
+ }
+ }
+ });
++
++ /**
++ * Gets an XMLInputFactory instance from pool.
++ *
++ * @return an XMLInputFactory instance.
++ */
++ private static XMLInputFactory getSecureXMLInputFactory() {
++ return (XMLInputFactory) secureXmlInputFactoryPool.getInstance();
++ }
++
++ /**
++ * Returns an XMLInputFactory instance for reuse.
++ *
++ * @param factory An XMLInputFactory instance that is available
for reuse
++ */
++ private static void releaseSecureXMLInputFactory(XMLInputFactory
factory) {
++ secureXmlInputFactoryPool.releaseInstance(factory);
++ }
++
++ /**
++ * Create an XMLStreamReader that will be used to read a stream for
++ * an incoming message. We need to use more restrictive "secure"
properties
++ * to ensure against attacks.
++ * @param in
++ * @param encoding
++ * @return
++ * @throws XMLStreamException
++ */
++ public static XMLStreamReader
createSecureXMLStreamReader(InputStream in, String encoding)
++ throws XMLStreamException {
++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
++ try {
++ XMLStreamReader reader = inputFactory.createXMLStreamReader(in,
encoding);
++ if (isDebugEnabled) {
++ log.debug("XMLStreamReader is " + reader.getClass().getName());
++ }
++ return reader;
++ } finally {
++ releaseSecureXMLInputFactory(inputFactory);
++ }
++ }
++
++ /**
++ * Create an XMLStreamReader that will be used to read a
stream for
++ * an incoming message. We need to use more restrictive
"secure" properties
++ * to ensure against attacks.
++ * @param in
++ * @return
++ * @throws XMLStreamException
++ */
++ public static XMLStreamReader
createSecureXMLStreamReader(InputStream in) throws XMLStreamException {
++ XMLInputFactory inputFactory = getSecureXMLInputFactory();
++ try {
++ XMLStreamReader reader =
inputFactory.createXMLStreamReader(in);
++ if (isDebugEnabled) {
++ log.debug("XMLStreamReader is " +
reader.getClass().getName());
++ }
++ return reader;
++ } finally {
++ releaseSecureXMLInputFactory(inputFactory);
++ }
++ }
++
++ /**
++ * Create an XMLStreamReader that will be used to read a
stream for
++ * an incoming message. We need to use more restrictive
"secure" properties
++ * to ensure against attacks.
++ *
++ * @param in
++ * @return
++ * @throws XMLStreamException
++ */
++ public static XMLStreamReader
createSecureXMLStreamReader(Reader in) throws XMLStreamException {
++ XMLInputFactory inputFactory = getXMLInputFactory();
++ try {
++ XMLStreamReader reader =
inputFactory.createXMLStreamReader(in);
++ if (isDebugEnabled) {
++ log.debug("XMLStreamReader is " +
reader.getClass().getName());
++ }
++ return reader;
++ } finally {
++ releaseSecureXMLInputFactory(inputFactory);
++ }
++ }
++
++ private static void setSecureProperties(XMLInputFactory f) {
++ // The goal is to prevent tampering of the message
++ // by external entities or denial of service
++ // replacing entities.
++ // Setting the following properties ensures this goal
++
f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
++ Boolean.FALSE);
++
f.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
++ Boolean.FALSE);
++ f.setProperty(XMLInputFactory.SUPPORT_DTD,
++ Boolean.FALSE);
++ f.setXMLResolver(new SecureXMLResolver());
++ }
++
++
+
+
+ private static Log log = LogFactory.getLog(StAXUtils.class);
Added:
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar?rev=953250&view=auto
==============================================================================
Binary file - no diff available.
Propchange:
geronimo/server/branches/2.1/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
------------------------------------------------------------------------------
svn:mime-type = application/java-archive
Added: geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
URL:
http://svn.apache.org/viewvc/geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt?rev=953250&view=auto
==============================================================================
--- geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
(added)
+++ geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
Thu Jun 10 08:45:57 2010
@@ -0,0 +1,30 @@
+Private Build of Axiom 1.2.5 for Geronimo.
+
+How to build Axiom 1.2.5
+---------------------------------
+ Checkout the Axiom 1.2.5 tag
+ svn co
http://svn.apache.org/repos/asf/webservices/commons/tags/axiom/1_2_5
+
+
+Apply the patch
+-----------------
+ cd 1_2_5
+ patch -p0 -i axiom_api.patch
+
+Build Axiom 1.2.5
+---------------
+ cd 1_2_5
+ mvn install
+
+Notes:
+ - Use Sun 1.5.x and Maven 2.0.9 build.
+
+
+Patch Information
+-----------------
+ axiom_api.patch - contains fixes for AXIS2-4450
+
+Copy patched jar files to appropriate locations
+-----------------------------------------------
+ cd 1_2_5
+ cp
modules/axiom-api/target/axiom-api-1.2.5.jar<geronimo-root>/repository/org/apache/ws/commons/axiom/axiom-api/1.2.5/axiom-api-1.2.5.jar
\ No newline at end of file
Propchange:
geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange:
geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange:
geronimo/server/branches/2.1/repository/org/apache/ws/readme.txt
------------------------------------------------------------------------------
svn:mime-type = text/plain