Automagically fetching remote entities from an incoming SOAP message is a known security issue and attack point (can't find the references I had about that at the moment).
AXIS at some point introduced a DefaultEntityResolver which implements org.xml.sax.EntityResolver which basically does nothing (returns an empty InputSource), I believe to avoid this particular problem and attack point. See src\org\apache\axis\utils\DefaultEntityResolver.java and XmlUtils.java -----Original Message----- From: Yuvraj Waswani [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:57 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: RE: Remote DTD/Schema referencing I UNPLUGGED the network cable and made a 'localhost' web service call (web service also on my own machine) ...and it ran fine ! Doesnt that conclude that Axis server or client DOES NOT try to refer/fetch the DTD / Schema referenced by the URL/URI namespace? Glen, please answer that question in the context of only soap requests and responses for webservices, not for requesting wsdl or anything else. I just made a w/s call without network connectivity and it ran fine. Thanks. -----Original Message----- From: Dimuthu Leelarathne [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 10:29 AM To: [EMAIL PROTECTED] Subject: RE: Remote DTD/Schema referencing Thanx Glen for pointing that out. I was under a wrong impression. > Hi Dimuthu, all: > >> > Does anybody know if Axis performs 'Remote DTD/Schema referencing' ? >> Does it fetch all the XML schemas/DTD posted in a >> particular HTTP soap >> > request message? >> > >> No axis doesn't support romote XML schemas/DTD referecing >> yet. But if you >> want reference a schema you can include it in the wsdl of the >> web service. > > Actually it does (for schemas, not DTDs) - see test/wsdl/import* for > examples. > > --Glen
