Hi Jonathan,
I've attached a simple JSP, which shows how the Axis2 Service Client can
be used to make your service request, FYI. It gets and displays an
exchange rate from our sample service.
I'll run through your code and put in the required service client call
with the right options etc. into your proxy JSP.
Keith also had some ideas on the right configuration context to be used
in this scenario; he believes it should be different from the mashup
server's, as we don't need to engage all the modules the server uses,
when making the service call. We'll try to get that ready for you as well.
Bye,
Channa.
Jonathan Marsh wrote:
FYI, here's my new code. The WSRequestXSS.js goes next to WSRequest.js,
WSRequestXSSproxy.jsp goes in with the other jsps, and this index.html can
go in system/version/www. I then open it up in the browser as usual, then
change the domain to my machine name (e.g. replace localhost with
"dellicious"). The parameters all get to the jsp ok, I just send a debug
message back at present rather than calling the actual web service.
Still some thinking to do: Should this replace the existing WSRequest.js?
Or be a special option one must ask for? Right now this code replaces the
Google Gadget GET proxy code as well - but I'm not totally sure this will
work. Testing needed. On IE too.
Jonathan Marsh - http://www.wso2.com - http://auburnmarshes.spaces.live.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jonathan Marsh
Sent: Wednesday, June 18, 2008 9:25 PM
To: [EMAIL PROTECTED]; [email protected]
Subject: RE: [mashup-dev] XSS solution?
OK, I've got the script tunnel pretty well in hand, passing all the
arguments to WSRequest.open and WSRequest.send to a .jsp on the mashup
server. Now, I just need to invoke the Web Service. Do we have a
WSRequest
object that is accessible from within a jsp? Or do I have to clone the
Axis
code in the WSRequest Host Object?
Jonathan Marsh - http://www.wso2.com -
http://auburnmarshes.spaces.live.com
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:mashup-dev-
[EMAIL PROTECTED]
On Behalf Of Keith Chapman
Sent: Monday, June 16, 2008 6:48 PM
To: [email protected]
Subject: Re: [mashup-dev] XSS solution?
+1
Thanks,
Keith.
Jonathan Marsh wrote:
We're getting an increasing number of questions about XSS,
preventing
people
from using the mashup within a web page served from a different
domain.
I'm quite tempted to complete my script-injection workaround, and
make it
available (at least as an alternate version). I hope people don't
go
into
production with a solution that might be used to simplify XSS
attacks, but
XSS is really quite a pain during the development and testing
phase.
In
addition to using the alternative WSRequest.js version, I'll
require
a
script wrapper proxy (.jsp?) installed on the mashup server.
The alternative of writing proxies for the primary domain is safer
but isn't
as appealing since we'd need to write one for Apache, for IIS, and
who knows
what else.
What do you think? Will we be perceived as evil?
P.S. if I do succeed in this, it shows what a joke XSS is.
P.P.S. still a chance I can fail, in which case the joke will be on
me ;-).
Jonathan Marsh - <http://www.wso2.com> http://www.wso2.com -
<http://auburnmarshes.spaces.live.com>
http://auburnmarshes.spaces.live.com
-------------------------------------------------------------------
--
---
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
------------------------------------------------------------------------
<%--
* Copyright 2008 WSO2, Inc. http://www.wso2.org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
--%>
<%@ page import="org.apache.axiom.om.util.Base64" %>
<%@ page contentType="application/javascript" language="java" %>
<%!
public static String decode(String s) throws Exception {
if ("~".equals(s)) return null;
String decoded = new String(Base64.decode(s), "UTF-8");
return decoded;
}
%><%
String query = request.getQueryString();
String[] params = query.split(",");
// Extract and decode all the parameters used to call WSRequest
String scriptId = params[0].toString();
boolean async = "true".equals(params[1]);
String uri = decode(params[2]);
String username = decode(params[3]);
String password = decode(params[4]);
String payload = decode(params[5]);
String[] options = new String[16];
int optionsCount = 0;
if (params.length > 5) {
for (int option=6; option" +
"uri: " + uri +
", async: " + async +
", username: " + username +
", password: " + password +
", payload: " + payload;
for (int i=0; i" + body + "";
}
*/
body = body.replace("\"", "\\\"");
body = body.replace("\n", "\"+\n\"");
%>
WSRequest._tunnelcallback("<%= scriptId%>", "<%= body %>");
------------------------------------------------------------------------
WSO2 Mashup Server logo
This release is version:
This version was built on:
.
Access all the operations of the version service through the Try-it
page <../version?tryit>.
Download the latest version from the WSO2 Oxygen Tank
<http://dist.wso2.org/products/mashup/nightly-build/>.
------------------------------------------------------------------------
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
--
********************************************
Channa Gunawardena
Technical Lead, WSO2 Inc.
channa at wso2.com; http://channa.gunawardena.org; +94 71 306 2722
"The Open Source SOA Company", http://wso2.com
<%@ page import="org.apache.axis2.client.Options" %>
<%@ page import="org.apache.axis2.client.ServiceClient" %>
<%@ page import="org.apache.axis2.addressing.EndpointReference" %>
<%@ page import="org.apache.axiom.om.OMElement" %>
<%@ page import="org.apache.axiom.om.OMFactory" %>
<%@ page import="org.apache.axiom.om.OMNamespace" %>
<%@ page import="org.apache.axiom.om.OMAbstractFactory" %>
<html>
<head>
<title>WS Request</title>
</head>
<body>
<%
//Create a factory
OMFactory factory = OMAbstractFactory.getOMFactory();
//create the namespace
OMNamespace ns = factory.createOMNamespace("http://ws.apache.org/axis2";,
"ns");
//create the method Element
OMElement methodElement = factory.createOMElement("convert", ns);
//create from and to currency type elements
OMElement fromCurrency = factory.createOMElement("fromCurrency", ns,
methodElement);
fromCurrency.setText("LKR"); //set the text
OMElement toCurrency = factory.createOMElement("toCurrency", ns,
methodElement);
toCurrency.setText("USD"); //set the text
//creating service client
ServiceClient sc = new ServiceClient();
//creating option
Options opts = new Options();
// setting target EPR
opts.setTo(new
EndpointReference("http://localhost:7762/services/samples/exchangeRate";));
//setting action
opts.setAction("urn:convert");
sc.setOptions(opts);
//invoke service
OMElement responseMsg = sc.sendReceive(methodElement);
%>
<strong>WS Response:</strong> <%= responseMsg.toString() %>
</body>
</html>
_______________________________________________
Mashup-dev mailing list
[email protected]
http://www.wso2.org/cgi-bin/mailman/listinfo/mashup-dev
