Hi Gary
you'll need to refactor
UsernamePasswordCredentials out of axis2-kernel
<groupId>org.apache.axis2</groupId>
<artifactId>axis2-kernel</artifactId>
how about using Kerberos instead?
http://thejavamonkey.blogspot.com/2008/09/axis-2-kerberos-web-services-featuring.html
can you suggest another alternative to commons-httpclient?
Martin Gainty
______________________________________________
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
Date: Wed, 8 Aug 2012 13:14:02 +0800
Subject: SSL vulnerability in Apache Axis2
From: [email protected]
To: [email protected]
I heard there is a SSL vulnerability about commons-httpclient-3.1. Is there a
fix on it or a solution?
The vulnerability's description is below.
Axis2 implemented in Java is vulnerable to
man-in-the-middle attacks. By extension, all applications using thislibrary to
establish SSL connections with the target servers arevulnerable. Affected
applications leak all data sent over the network,
such as login credentials, bank account numbers, personal
identifiableinformation, etc. The vulnerability can be exposed in any
networktopology in which a man-in-the-middle can be deployed.
In depth analysis of Axis2 shows that the middleware uses
thecommons-httpclient-3.1 library when establishing SSL connections withtarget
servers. Internally, commons-httpclient-3.1 uses raw sockets to
establish SSL connections. Per JSSE’s manual# raw sockets do notverify the name
of the target server against the name(s) in theserver’s SSL certificate. Since
commons-httpclient-3.1 does not
provide its own hostname verifier to compensate for this omission,this overhaul
renders the framework and all applications built on topof it insecure.
--
Best Regards
Gary
Apache Geronimo
