There is indeed no API to get access to the Content-Disposition header. There is a reason for this: MTOM actually defines an equivalency between plain SOAP messages and MIME messages, but the specification doesn't attach any meaning to the Content-Disposition MIME header. That means that when constructing the equivalent plain SOAP message for a given MTOM message, the values of the Content-Disposition headers are lost. That has several implications:
* The sender is not required to add Content-Disposition headers, and if it does, then the MTOM specs don't make any statement how they should be set. * The receiver is not expected to use the Content-Disposition headers in any way. * An intermediary (such as an ESB) may choose to remove the Content-Disposition headers. Note that this also means that the requirement to filter MIME parts of an MTOM message based on Content-Disposition makes very little sense. This wouldn't improve security in any way because an attacker can set the Content-Disposition header to any value he wants, given that the receiver is not expected to use that value. Andreas On Thu, Jun 9, 2011 at 17:15, Sridhar Dabbeeru <[email protected]> wrote: > Swapna, > Sure, I can write the module but when you say axis api what exactly you > are referring to? We are on Aixs 2 (1.4) version and > our org.apache.axiom.attachments.Attachments version doesn't even look into > the "Content-Disposition: attachment; name=", at least I don't see > anywhere. Are you referring to any other API. > ------=_Part_0_9514768.1307555652068 > Content-Type: application/octet-stream > Content-Transfer-Encoding: binary > Content-ID: <1038418065145> > Content-Disposition: attachment; name="DSC07685.JPG" > I have another question, if we intercept the attachment request in this > module won't it already consume the stream that's been attached. I want this > module just act like a filter and on bad request throw a fault back. Actual > handling attachment should go through the actual service implementation. > Thanks, > Sridhar > > On Thu, Jun 9, 2011 at 1:48 AM, swapna soni <[email protected]> wrote: >> >> Hi Sridhar, >> >> >> >> You can create a custom module and engage it in your service or client >> program. In this module u can get the attachment of you request /response >> using axis2 api and you can get the file name as well. >> >> >> >> Thanks, >> >> Swapna Soni. >> >> >> >> From: Sridhar Dabbeeru [mailto:[email protected]] >> Sent: Wednesday, June 08, 2011 11:14 PM >> To: [email protected] >> Subject: Filtering MTOM attachments based on disposition file name and >> content type >> >> >> >> Hi, >> I have a requirement to apply a security filter on MTOM attachments based >> on configured of content type and file name extension. For example file name >> with ".mp3" shouldn't be allowed for uploading or >> content image/png shouldn't be allowed. >> >> I see in my soap request Content-Disposition: attachment; name="xyz.tif" >> but the file name is not being parsed in axis2. I was expecting the name in >> my DataHandler but that turned out to be stream name. Datahandler does give >> me handle for the correct content type. The only missing link is file name. >> >> I am wondering does axis2 parses disposition file name at all? >> >> Can any one help me to resolve this. >> >> >> Thanks, >> Sridhar > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
