On Dec 20, 2007 8:06 AM, Sanjiva Weerawarana <[EMAIL PROTECTED]> wrote:
> The issue here is whether SUPPORT_SINGLE_OP takes priority or the sequence > of deployers do. No. the matter is whether this dispatch should run before the security phase or not. just think the senario where this operation has a signature verification security policy. in that case if this dispatcher runs after security is attack can happen. https://issues.apache.org/jira/browse/RAMPART-127 That is, right now it appears that SSO is tested at the > end of the dispatch phase .. which just makes sure that if that property > has been set it overrides everything else. > > Service dispatch also happens in the dispatch phase often ... yes that is correct, but I am thinking about the scenario where this dispatcher taking place. so I think > the code is right. > > Sanjiva. > > David Illsley wrote: > > Um, presumably it should go after the RequestURIBasedDispatcher so you > > don't have to redo the service dispatch? > > David > > > > On Dec 19, 2007 3:27 PM, Amila Suriarachchi <[EMAIL PROTECTED]> > wrote: > >> > >> > >> On Dec 19, 2007 8:32 PM, David Illsley <[EMAIL PROTECTED]> wrote: > >>> So what's the plan? Where are you going to move the code to? > >> yes. What I thought was to get this code to a separate dispatcher and > set > >> this dispatcher as the first > >> dispatcher in the Transport phase. > >> > >> Amila > >>> > >>> > >>> > >>> David > >>> > >>> > >>> > >>> > >>> On Dec 19, 2007 7:11 AM, Amila Suriarachchi < > [EMAIL PROTECTED]> > >> wrote: > >>>> > >>>> > >>>> On Dec 19, 2007 10:00 AM, Amila Suriarachchi > >> <[EMAIL PROTECTED] > > >>>> wrote: > >>>>> hi all, > >>>>> > >>>>> 1. Here is a code segment found in the > >>>> org.apache.axis2.engine.DispatchPhase > >>>>> checkPostConditions method. > >>>>> > >>>>> if (operation == null && > >>>>> JavaUtils.isTrue(service.getParameterValue > >>>> (AxisService.SUPPORT_SINGLE_OP))) { > >>>>> Iterator ops = service.getOperations(); > >>>>> // If there's exactly one, that's the one we want. If > >> there's > >>>> more, forget it. > >>>>> if (ops.hasNext ()) { > >>>>> operation = (AxisOperation)ops.next(); > >>>>> if (ops.hasNext()) { > >>>>> operation = null; > >>>>> } > >>>>> } > >>>>> msgContext.setAxisOperation (operation); > >>>>> } > >>>>> > >>>>> What it basically doing is that dispatch the operation if the > >>>> AxisService.SUPPORT_SINGLE_OP parameter is set and > >>>>> there is only one operation on it. > >>>>> Isn't this dispatcher supposed to run just after service being > >> dispatched? > >>>> i.e as the first dispatcher of the Tranport phase. > >>>>> Think about the scenario where this operation is engaged security. > in > >> this > >>>> case it should dispatched before the security. > >>>>> I think any dispatcher which is possible to run before the security > >> should > >>>> run before it. > >>>> > >>>> I found this security hole and I the only option to fix it to add a > >> handler > >>>> as the last phase to dispatch > >>>> to check whether the security is applied or not. > >>>> https://issues.apache.org/jira/browse/RAMPART-127 > >>>> > >>>> So we need to move this before security definitely. > >>>> > >>>>> > >>>>> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are both > in > >>>> Transport and Dispatch phases. > >>>>> Is there any reason for this? or is it an obsolete code to keep this > >> in > >>>> Dispatch phase? > >>>>> Shall I do the above changes? > >>>>> > >>>>> thanks, > >>>>> Amila. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> Amila Suriarachchi, > >>>>> WSO2 Inc. > >>>> > >>>> > >>>> -- > >>>> Amila Suriarachchi, > >>>> WSO2 Inc. > >>> > >>> > >>> > >>> > >>> > >>> -- > >>> David Illsley - IBM Web Services Development > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > >>> For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >> > >> > >> -- > >> Amila Suriarachchi, > >> WSO2 Inc. > > > > > > > > -- > Sanjiva Weerawarana, Ph.D. > Founder & Director; Lanka Software Foundation; http://www.opensource.lk/ > Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/ > Member; Apache Software Foundation; http://www.apache.org/ > Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- Amila Suriarachchi, WSO2 Inc.
