Randall Vasquez created AXIS2-5700:
--------------------------------------
Summary: Fault Handler not reached when soap envelope contains
empty namespace
Key: AXIS2-5700
URL: https://issues.apache.org/jira/browse/AXIS2-5700
Project: Axis2
Issue Type: Bug
Components: kernel
Affects Versions: 1.6.2
Environment: Windows 7 Professional. Java 6+, Tomcat, JBoss.
Reporter: Randall Vasquez
A customer has a requirement that our application be secure. One of the issues
brought up was component names being leaked in error messages which may assist
hackers by providing info they may use in future attacks.
To resolve this issue we attempted to use a simple custom handler that checks
for a fault and replaces the message with something more generic.
The axis2.xml file was then modified to include the handler within the
InFaultFlow and OutFaultFlows in the appropriate section as defined by the
axis2.xml.
However when a namespace is empty in the soap message or there is an issue in
the envelope at the root element
example:
<Envelope xmlns:soapenv=""
...otherwise well constructed soap message
</Envelope>
the AxisServlet throws an AxisFault exception bypassing the handlers
and leaking info
example result:
<soapenv:Envelope
...
><faultstring>com.ctc.wstx.exc.WstxUnexpectedCharException: Illegal character
>(NULL, unicode 0) encountered: not valid in any content
at [row,col {unknown-source}]: [1,313]</faultstring>
..
</soapenv:Envelope>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
