Sometimes we may not need this change and have to move the security phase after dispatching. Please see the possible two security attacks I have mentioned here.
https://issues.apache.org/jira/browse/RAMPART-127 Thanks, Amila. On Dec 20, 2007 11:24 AM, Amila Suriarachchi <[EMAIL PROTECTED]> wrote: > > > On Dec 20, 2007 8:06 AM, Sanjiva Weerawarana <[EMAIL PROTECTED]> > wrote: > > > The issue here is whether SUPPORT_SINGLE_OP takes priority or the > > sequence > > of deployers do. > > No. the matter is whether this dispatch should run before the security > phase or not. > just think the senario where this operation has a signature verification > security policy. > in that case if this dispatcher runs after security is attack can happen. > https://issues.apache.org/jira/browse/RAMPART-127 > > That is, right now it appears that SSO > > is tested at the > > end of the dispatch phase .. which just makes sure that if that property > > > > has been set it overrides everything else. > > > > Service dispatch also happens in the dispatch phase often ... > > yes that is correct, but I am thinking about the scenario where this > dispatcher taking place. > > so I think > > the code is right. > > > > Sanjiva. > > > > David Illsley wrote: > > > Um, presumably it should go after the RequestURIBasedDispatcher so you > > > don't have to redo the service dispatch? > > > David > > > > > > On Dec 19, 2007 3:27 PM, Amila Suriarachchi < > > [EMAIL PROTECTED]> wrote: > > >> > > >> > > >> On Dec 19, 2007 8:32 PM, David Illsley <[EMAIL PROTECTED] > > > wrote: > > >>> So what's the plan? Where are you going to move the code to? > > >> yes. What I thought was to get this code to a separate dispatcher > > and set > > >> this dispatcher as the first > > >> dispatcher in the Transport phase. > > >> > > >> Amila > > >>> > > >>> > > >>> > > >>> David > > >>> > > >>> > > >>> > > >>> > > >>> On Dec 19, 2007 7:11 AM, Amila Suriarachchi < > > [EMAIL PROTECTED]> > > >> wrote: > > >>>> > > >>>> > > >>>> On Dec 19, 2007 10:00 AM, Amila Suriarachchi > > >> < [EMAIL PROTECTED] > > > >>>> wrote: > > >>>>> hi all, > > >>>>> > > >>>>> 1. Here is a code segment found in the > > >>>> org.apache.axis2.engine.DispatchPhase > > >>>>> checkPostConditions method. > > >>>>> > > >>>>> if (operation == null && > > >>>>> JavaUtils.isTrue(service.getParameterValue > > >>>> (AxisService.SUPPORT_SINGLE_OP))) { > > >>>>> Iterator ops = service.getOperations(); > > >>>>> // If there's exactly one, that's the one we want. If > > > > >> there's > > >>>> more, forget it. > > >>>>> if (ops.hasNext ()) { > > >>>>> operation = (AxisOperation)ops.next(); > > >>>>> if ( ops.hasNext()) { > > >>>>> operation = null; > > >>>>> } > > >>>>> } > > >>>>> msgContext.setAxisOperation (operation); > > >>>>> } > > >>>>> > > >>>>> What it basically doing is that dispatch the operation if the > > >>>> AxisService.SUPPORT_SINGLE_OP parameter is set and > > >>>>> there is only one operation on it. > > >>>>> Isn't this dispatcher supposed to run just after service being > > >> dispatched? > > >>>> i.e as the first dispatcher of the Tranport phase. > > >>>>> Think about the scenario where this operation is engaged security. > > in > > >> this > > >>>> case it should dispatched before the security. > > >>>>> I think any dispatcher which is possible to run before the > > security > > >> should > > >>>> run before it. > > >>>> > > >>>> I found this security hole and I the only option to fix it to add > > a > > >> handler > > >>>> as the last phase to dispatch > > >>>> to check whether the security is applied or not. > > >>>> https://issues.apache.org/jira/browse/RAMPART-127 > > >>>> > > >>>> So we need to move this before security definitely. > > >>>> > > >>>>> > > >>>>> 2. RequestURIBasedDispatcher and SOAPActionBasedDispatcher are > > both in > > >>>> Transport and Dispatch phases. > > >>>>> Is there any reason for this? or is it an obsolete code to keep > > this > > >> in > > >>>> Dispatch phase? > > >>>>> Shall I do the above changes? > > >>>>> > > >>>>> thanks, > > >>>>> Amila. > > >>>>> > > >>>>> > > >>>>> > > >>>>> > > >>>>> -- > > >>>>> Amila Suriarachchi, > > >>>>> WSO2 Inc. > > >>>> > > >>>> > > >>>> -- > > >>>> Amila Suriarachchi, > > >>>> WSO2 Inc. > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> -- > > >>> David Illsley - IBM Web Services Development > > >>> > > >>> > > --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: [EMAIL PROTECTED] > > >>> For additional commands, e-mail: [EMAIL PROTECTED] > > >>> > > >>> > > >> > > >> > > >> -- > > >> Amila Suriarachchi, > > >> WSO2 Inc. > > > > > > > > > > > > > -- > > Sanjiva Weerawarana, Ph.D. > > Founder & Director; Lanka Software Foundation; http://www.opensource.lk/ > > Founder, Chairman & CEO; WSO2, Inc.; http://www.wso2.com/ > > Member; Apache Software Foundation; http://www.apache.org/ > > Visiting Lecturer; University of Moratuwa; http://www.cse.mrt.ac.lk/ > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > -- > Amila Suriarachchi, > WSO2 Inc. -- Amila Suriarachchi, WSO2 Inc.
