[
https://issues.apache.org/jira/browse/OFBIZ-6916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15183784#comment-15183784
]
Jacques Le Roux commented on OFBIZ-6916:
----------------------------------------
Commited in
trunk r1733956
R15.12 r1733957
R14.12 r1733958+r1733959
R13.07 r1733991
Note: there is a newer Axis2 1.7.1 version
https://axis.apache.org/axis2/java/core/release-notes/1.7.1.html. OOTB we don't
use ADB but better to get the last version anyway. I will change the issue
title.
Replacing Axis2 1.6.3 by 1.7.1 version is easy as long as you don't try to
replace the commons-httpclient-3.1 lib. The only noticeable change is this
warning shown in log
|http-bio-8443-exec-1 |AxisConfigBuilder |W| Unable to
instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug
logs for more details|
It has no effects on the SOAP test services, both works.
But the main goal of this issue is a security update because
commons-httpclient-3.1 lib is deprecated, no longer maintained and vulnerable
and must be replaced.
This commit also concerns OFBIZ-6755 but to not mix things OFBIZ-6755 will be
completed later. So to not block this issue, the commons-httpclient-3.1 lib is
moved from framework/service/lib to specialpurpose/passport/lib/ where it's
still required.
Normally, as explained at
https://axis.apache.org/axis2/java/core/release-notes/1.7.0.html, Axis2 1.7.1
requires "HttpClient 4.2.x and should work with 4.3.x and 4.4.x, but is
incompatible with 4.5.x". I did not replace commons-httpclient-3.1 by
HttpClient 4.2.1, which is bundled with Axis2 1.7.1, because we have already
HttpClient/Core 4.4.1 in base/lib and it works well as is (HttpClient/Core
4.4.1 is in the classpath).
To use HttpClient/Core 4.4.1 you need to change the axis2.xml files as
specified in the 1.7.0 release note. But where to place this file in OFBiz is
not obvious!
I decided the best way was to use Axis2
ConfigurationContextFactory.createConfigurationContextFromFileSystem() method
to let know Axis2 we want the new httpclient instead of the default one (I
really don't understand why the Axis2 team still prefers commons-httpclient-3.1
as default). I had to pass both locations to avoid hardcoding the repository
location in the axis2.xml file.
I have also decided the best place for the "Axis2 repository" (as they call it)
was in framework/service/axis2. So following Axis2 convention
http://wso2.com/library/tutorials/axis2-repository/ I put the axis2.xml file in
framework/service/axis2/conf.
Note: the Axis2 repository could be used to put [Apache
Rampart|https://axis.apache.org/axis2/java/rampart/] as a module to secure web
services...
After this change, there are a number of warnings thrown by Axis2 but they are
actually interesting as they provide guidance for future use of modules and
such (notably Apache Rampart)
|ttp-bio-8443-exec-10 |Utils |W| [JAXWS] - unable
to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher
|ttp-bio-8443-exec-10 |Utils |W| [JAXWS] - unable
to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher
|ttp-bio-8443-exec-10 |Utils |W| [JAXWS] - unable
to load org.apache.axis2.jaxws.dispatchers.MustUnderstandChecker
|ttp-bio-8443-exec-10 |Utils |W| [JAXWS] - unable
to load org.apache.axis2.jaxws.dispatchers.GenericProviderDispatcher
|ttp-bio-8443-exec-10 |Utils |W| [JAXWS] - unable
to load org.apache.axis2.jaxws.dispatchers.MustUnderstandValidationDispatcher
|ttp-bio-8443-exec-10 |AxisConfigBuilder |W| Unable to
instantiate deployer org.apache.axis2.deployment.ServiceDeployer; see debug
logs for more details
|ttp-bio-8443-exec-10 |AxisConfigBuilder |W| Unable to
instantiate deployer org.apache.axis2.jaxws.framework.JAXWSDeployer; see debug
logs for more details
While at it I replaced StAXOMBuilder (deprecated) by OMXMLBuilderFactory
I will backport the changes in the supporterd releases branches but R12.04.
Others all use HttpClient/Core version older than 4.2.1. I'm aware I will have
to handle several conflicts by hand, some are easy others "harder". We have the
passport component only in R15.12, it will be easy to neglect in older
releases. I expect more work with the LICENSE file and even more with the
.classpath file. Since R15.12 we use tabs in it (Adrian rightly told us to use
Eclipse internal tools to edit this file, though I noted it does not respect
the alphabetical order) but older releases still use spaces (and this is often
a pain now, but a bright future ahead ;))
Crossing fingers with this commit, I have other changes pending in this
instance (notably for OFBIZ-6849) and it got quite complicated.
> Upgrade Axis2 to 1.7.0
> ----------------------
>
> Key: OFBIZ-6916
> URL: https://issues.apache.org/jira/browse/OFBIZ-6916
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
>
> With OFBIZ-5801 I recently upgraded Axis2 to 1.6.3. But it still uses
> commons-httpclient-3.1 which is not only deprecated but also faces a number
> of vulnerabilties:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153
> This will also help to resolve OFBIZ-6755 (passport component)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
