i think introducing an explicit option like "allowWrongAction" (or something that sound better :-) to turn off this action equality-check is better than using an empty string to automatically turn off the check. Or we can define a special matchAny kind of action that can be used in opinfo?
2013/11/13 Andrei Shakirin <[email protected]>: > Hi, > > I have a bit regression under 2.7.7 because of changes in > SoapActionInInterceptor > (https://fisheye6.atlassian.com/changelog/cxf?cs=1368559 ) > > SoapActionInInterceptor requires that the SOAPAction exactly matches to the > service operation. > The problem is that there are some scenarios where the proxies using > Provider<> API process requests from different clients with any SOAPAction. > > If you don't see security issue in that, I would ignore the check if > SoapOperationInfo action has default SOAP action (configured as empty in > SoapBindingConfiguration): > > Instead: > SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class); > if (soi == null || action.equals(soi.getAction())) { > return; > } > > Will be: > > SoapOperationInfo soi = boi.getExtensor(SoapOperationInfo.class); > if ((soi == null) || StringUtils.isEmpty(soi.getAction()) || > action.equals(soi.getAction())) { > return; > } > > WDYT? > > Regards, > Andrei. >
