[jira] [Comment Edited] (AXIS2-5700) Fault Handler not reached when soap envelope contains empty namespace

Thu, 09 Jul 2015 11:49:05 -0700 

    [ 
https://issues.apache.org/jira/browse/AXIS2-5700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621047#comment-14621047
 ] 

Shameera Rathnayaka edited comment on AXIS2-5700 at 7/9/15 6:47 PM:
--------------------------------------------------------------------

According to the SOAP spec , Envelop should be under 
"http://schemas.xmlsoap.org/soap/envelope/"; namespace identifier. Hence your 
sample soap envelop is wrong. See 
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383494 

For soap12 , Envelop namespace is "http://www.w3.org/2003/05/soap-envelope"; , 
spec http://www.w3.org/TR/soap12/#soapenvelope


was (Author: shameera):
According to the SOAP spec , Envelop should be under 
"http://schemas.xmlsoap.org/soap/envelope/"; namespace identifier. Hence your 
sample soap envelop is wrong. See 
http://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383494 

> Fault Handler not reached when soap envelope contains empty namespace
> ---------------------------------------------------------------------
>
>                 Key: AXIS2-5700
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5700
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.6.2
>         Environment: Windows 7 Professional. Java 6+, Tomcat, JBoss.
>            Reporter: Randall Vasquez
>
> A customer has a requirement that our application be secure. One of the 
> issues brought up was component names being leaked in error messages which 
> may assist hackers by providing info they may use in future attacks.
> To resolve this issue we attempted to use a simple custom handler that checks 
> for a fault and replaces the message with something more generic.
> The axis2.xml file was then modified to include the handler within the 
> InFaultFlow and OutFaultFlows in the appropriate section as defined by the 
> axis2.xml.
> However when a namespace is empty in the soap message or there is an issue in 
> the envelope at the root element
>  
> example:
> <Envelope xmlns:soapenv="" 
> ...otherwise well constructed soap message
> </Envelope>
> the AxisServlet throws an AxisFault exception bypassing the handlers
> and leaking info
> example result:
>  <soapenv:Envelope 
> ...
> ><faultstring>com.ctc.wstx.exc.WstxUnexpectedCharException: Illegal character 
> >(NULL, unicode 0) encountered: not valid in any content
>  at [row,col {unknown-source}]: [1,313]</faultstring>
> ..
> </soapenv:Envelope>



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to