On Dec 19, 2007 10:00 AM, Amila Suriarachchi <[EMAIL PROTECTED]>
wrote:
> hi all,
>
> 1. Here is a code segment found in the
> org.apache.axis2.engine.DispatchPhase
> checkPostConditions method.
>
> if (operation == null &&
> JavaUtils.isTrue(service.getParameterValue (
> AxisService.SUPPORT_SINGLE_OP))) {
> Iterator ops = service.getOperations();
> // If there's exactly one, that's the one we want. If there's
> more, forget it.
> if (ops.hasNext ()) {
> operation = (AxisOperation)ops.next();
> if (ops.hasNext()) {
> operation = null;
> }
> }
> msgContext.setAxisOperation (operation);
> }
>
> What it basically doing is that dispatch the operation if the
> AxisService.SUPPORT_SINGLE_OP parameter is set and
> there is only one operation on it.
> Isn't this dispatcher supposed to run just after service being dispatched?
> i.e as the first dispatcher of the Tranport phase.
>
> Think about the scenario where this operation is engaged security. in this
> case it should dispatched before the security.
>
> I think any dispatcher which is possible to run before the security should
> run before it.
I found this security hole and I the only option to fix it to add a handler
as the last phase to dispatch
to check whether the security is applied or not.
https://issues.apache.org/jira/browse/RAMPART-127
So we need to move this before security definitely.
>
>
> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both in
> Transport and Dispatch phases.
> Is there any reason for this? or is it an obsolete code to keep this in
> Dispatch phase?
>
> Shall I do the above changes?
>
> thanks,
> Amila.
>
>
>
>
> --
> Amila Suriarachchi,
> WSO2 Inc.
--
Amila Suriarachchi,
WSO2 Inc.
