[jira] [Commented] (AXIS2-5877) XML External Entity Injections

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16159617#comment-16159617
 ] 

Hudson commented on AXIS2-5877:
---

SUCCESS: Integrated in Jenkins build Axis2 #3825 (See 
[https://builds.apache.org/job/Axis2/3825/])
AXIS2-5877: Move XSLTTemplateProcessor to axis2-codegen because it is not used 
at runtime. (veithen: rev 1807840)
* (add) 
axis2/modules/codegen/src/org/apache/axis2/util/XSLTTemplateProcessor.java
* (delete) 
axis2/modules/kernel/src/org/apache/axis2/util/XSLTTemplateProcessor.java


> XML External Entity Injections
> --
>
> Key: AXIS2-5877
> URL: https://issues.apache.org/jira/browse/AXIS2-5877
> Project: Axis2
>  Issue Type: Bug
>  Components: jaxws
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
>  Labels: security
> Attachments: xxe1.png, xxe2.png
>
>
> XML parser configured in ConvertUtils.java:225 does not prevent nor limit 
> external entities resolution. This can expose the parser to an XML External 
> Entities attack.
> Proposed fix: Enable where TransformerFactory is used always the secure 
> processing feature:
> {code:java}
>   public static TransformerFactory createTransformerFactory() {
>   TransformerFactory factory = TransformerFactory.newInstance();
>   try {
>   
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
>   }
>   catch (TransformerConfigurationException e) {
>   throw new IllegalStateException(e);
>   }
>   return factory;
>   }
> {code}
> Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations 
> where this and DocumentBuilderFactory is handled wrong. See attached 
> screenshots.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Commented] (AXIS2-5885) Generating apidocs fails with Java 8.

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/AXIS2-5885?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16159618#comment-16159618
 ] 

Hudson commented on AXIS2-5885:
---

SUCCESS: Integrated in Jenkins build Axis2 #3825 (See 
[https://builds.apache.org/job/Axis2/3825/])
AXIS2-5885: Fix site generation failure in apidocs. The problem was that the 
additionalparam (with -Xdoclint:none) set by the Maven profile was overridden 
in the site-javadoc execution. (veithen: rev 1807837)
* (edit) axis2/apidocs/pom.xml
* (edit) axis2/pom.xml


> Generating apidocs fails with Java 8.
> -
>
> Key: AXIS2-5885
> URL: https://issues.apache.org/jira/browse/AXIS2-5885
> Project: Axis2
>  Issue Type: Bug
>  Components: documentation
>Affects Versions: 1.8.0
> Environment: Windows 10 x86-64, JDK 1.8
>Reporter: Thorsten Schöning
>Priority: Minor
> Attachments: AXIS2-5885 01.patch, AXIS2-5885 02.patch
>
>
> The project "apidocs" can not be build by default using Java 8 because of a 
> lot of errors in the Javadocs and the new "javadoc" errors on those problems 
> instead of warning/ignoring them. A workaround is to add 
> "false" to the configuration, in that case the 
> errors are turned to warnings and the build succeeds.
> Most of the errors are pretty easy, like wrong HTML etc. and one just needs 
> to fix what and where "javadoc" says. But some errors are related to missing 
> packages and might be a hint to classpath issues or some problems with 
> available packages in the build?
> https://stackoverflow.com/questions/15886209/maven-is-not-working-in-java-8-when-javadoc-tags-are-incomplete
> {CODE}
> [ERROR] Exit code: 1 - C:\Users\tschoening\Documents\Eclipse\Java 
> Axis2\axis2\apidocs\target\distro-javadoc-sources\org.apache.axis2.osgi-1.8.0-SNAPSHOT-sources\org\apache\axis2\extensions\osgi\util\Logger.java:4:
>  error: package org.osgi.service.log does not exist
> [ERROR] import org.osgi.service.log.LogService;
> [ERROR] ^
> {CODE}
> {CODE}
> [ERROR] C:\Users\tschoening\Documents\Eclipse\Java 
> Axis2\axis2\apidocs\target\distro-javadoc-sources\axis2-adb-1.8.0-SNAPSHOT-sources\org\apache\axis2\databinding\ADBDataSource.java:44:
>  warning: no description for @param
> [ERROR] * @param xmlWriter
> [ERROR] ^
> {CODE}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Re: [AXIS2] Some project builds fail if goal "clean" is not used

[Martin Gainty]

From: Thorsten Schöning 
Sent: Tuesday, September 5, 2017 5:12 AM
To: java-dev@axis.apache.org
Subject: [AXIS2] Some project builds fail if goal "clean" is not used

Hi all,

I'm facing the problem that when I execute goals like "install" or
"test" without "clean" the build of some projects fail, the problem
seems to be with an existing or not "target" dir and it looks like
that because of that the build of some projects "thinks" it doesn't
need to compile classes etc. Which would be fine if it wouldn't delete
the formerly created classes itself without re-creating them! :-)

One example is with axis-metadata, were the following command fails
after a former successful build:

> mvn test --projects :axis2-metadata

While the following one succeeds:

> mvn clean test --projects :axis2-metadata

"clean" deletes the whole "target" dir, so a fresh new build is
executed. Without "clean", pre-compiled classes in
"target/test-classes" are deleted, but not re-created for some reason,
resulting in error messages like the following:

> [ERROR] Failed to execute goal 
> org.apache.maven.plugins:maven-compiler-plugin:3.5.1:testCompile 
> (default-testCompile) on project axis2-metadata: Compilation failure: 
> Compilation failure:
> [ERROR] /C:/Users/tschoening/Documents/Eclipse/Java 
> Axis2/axis2/modules/metadata/test/org/apache/axis2/jaxws/description/DocLitWrappedImplWithSEI.java:[23,36]
>  package org.test.proxy.doclitwrapped does not exist

Classes of "org.test.proxy.doclitwrapped" were available in the last
successful build and have been deleted, but no re-created. the
interesting thing as well is that really only the Java classes
themselfs have been deleted, the corresponding parent dir already
exists:

> C:\Users\tschoening\Documents\Eclipse\Java 
> Axis2\axis2\modules\metadata\target\test-classes\org\test\proxy\doclitwrapped

I have that problem with various projects and it was driving me crazy,
because things like "Debug as/Maven test" etc. per project directly
from Eclipse were not working and such. I really need to always
execute "clean" in addition to the other goals to be sure a build
works.

Is that intended or some kind of build issue? Shouldn't "mvn install"
not only delete pre-compiled test classes, but also be able to create
them again?
MG>the built-in maven-compiler-plugin (the default of compile phase) compile 
*default* is not full but incremental compile
MG>of special note is the lastModGranularityMs parameter which you can set in 
maven-compiler-plugin configuration
/**
 * Sets the granularity in milliseconds of the last modification
 * date for testing whether a source needs recompilation.
 */
@Parameter( property = "lastModGranularityMs", defaultValue = "0" )
private int staleMillis;

MG>https://maven.apache.org/plugins/maven-compiler-plugin/compile-mojo.html
Apache Maven Compiler Plugin – 
compiler:compile
maven.apache.org
Classpath elements to supply as annotation processor path. If specified, the 
compiler will detect annotation processors only in those classpath elements. If 
omitted ...

MG>to avoid that heartache when implementing maven-compiler-plugin i always set 
useIncrementalCompilation
 = false e.g.

MG>org.apache.maven.plugins
MG>maven-compiler-plugin
  
 false

Mit freundlichen Grüßen,
Thorsten Schöning

MG>gruss
MG>Martin

--
Thorsten Schöning   E-Mail: thorsten.schoen...@am-soft.de
AM-SoFT IT-Systeme  http://www.AM-SoFT.de/
Webpräsenz AM-SoFT IT-Systeme GmbH - Startseite
www.am-soft.de
AM-SoFT IT-Systeme „Neue Wege entstehen, indem wir sie gehen!“ AM-SoFT GmbH 
IT-Systeme, 1989 in Hameln gegründet, ist EDV-Systemhaus, 
Internet-Service-Provider ...




Telefon...05151-  9468- 55
Fax...05151-  9468- 88
Mobil..0178-8 9468- 04

AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow


-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Commented] (AXIS2-5876) axis2-webapp: The superclass "javax.servlet.jsp.tagext.SimpleTagSupport" was not found on the Java Build Path status.tag

[Hudson (JIRA)]

[ 
https://issues.apache.org/jira/browse/AXIS2-5876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16159542#comment-16159542
 ] 

Hudson commented on AXIS2-5876:
---

SUCCESS: Integrated in Jenkins build axis2-1.7 #141 (See 
[https://builds.apache.org/job/axis2-1.7/141/])
AXIS2-5876: Merge r1807643 to the 1.7 branch. (veithen: rev 1807838)
* (edit) axis2
* (edit) axis2/modules/webapp/pom.xml


> axis2-webapp: The superclass "javax.servlet.jsp.tagext.SimpleTagSupport" was 
> not found on the Java Build Path status.tag
> 
>
> Key: AXIS2-5876
> URL: https://issues.apache.org/jira/browse/AXIS2-5876
> Project: Axis2
>  Issue Type: Bug
>  Components: modules
>Affects Versions: 1.7.6, 1.8.0
> Environment: Windows 10 Pro x86-64, Eclipse Oxygen Release (4.7.0) 
> x86-64
>Reporter: Thorsten Schöning
> Attachments: missing jsp-api.patch
>
>
> After importing trunk into Eclipse using maven-eclipse-plugin, I got the 
> following error. This could easily be resolved by adding jsp-api to the 
> pom.xml, like in the attached patch. That way the Jar is added to the 
> classpath in Eclipse, provided by Maven and this resolves the error message.
> Please consider patching current trunk and 1.7, as the same problem seems to 
> be present in both.
> {QUOTE}
> The superclass "javax.servlet.jsp.tagext.SimpleTagSupport" was not found on 
> the Java Build Path   status.tag  
> /axis2-webapp/src/main/webapp/WEB-INF/tags  line 1  JSP Problem
> {QUOTE}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Resolved] (AXIS2-5879) WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)

[Andreas Veithen (JIRA)]

 [ 
https://issues.apache.org/jira/browse/AXIS2-5879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen resolved AXIS2-5879.

Resolution: Invalid

This code is used by the code generator to read the WSDL supplied by the user. 
If the user wishes to process a WSDL with external entities, then we should 
just do that. There is no security risk here.

> WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)
> ---
>
> Key: AXIS2-5879
> URL: https://issues.apache.org/jira/browse/AXIS2-5879
> Project: Axis2
>  Issue Type: Bug
>  Components: kernel
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
>  Labels: security
>
> XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does 
> not prevent nor limit external entities resolution. This can expose the 
> parser to an XML External Entities attack.
> Proposed solution: Always disable external entities:
> {code:java}
>   public static DocumentBuilderFactory createDocumentBuilderFactory() {
>   DocumentBuilderFactory factory = 
> DocumentBuilderFactory.newInstance();
>   factory.setNamespaceAware(true);
>   try {
>   
> factory.setFeature("http://xml.org/sax/features/external-general-entities;, 
> false);
>   
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities;, 
> false);
>   }
>   catch (ParserConfigurationException e) {
>   throw new IllegalStateException(e);
>   }
>   return factory;
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5879) WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)

[Andreas Veithen (JIRA)]

 [ 
https://issues.apache.org/jira/browse/AXIS2-5879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5879:
---
Component/s: (was: jaxws)
 kernel

> WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)
> ---
>
> Key: AXIS2-5879
> URL: https://issues.apache.org/jira/browse/AXIS2-5879
> Project: Axis2
>  Issue Type: Bug
>  Components: kernel
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
>  Labels: security
>
> XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does 
> not prevent nor limit external entities resolution. This can expose the 
> parser to an XML External Entities attack.
> Proposed solution: Always disable external entities:
> {code:java}
>   public static DocumentBuilderFactory createDocumentBuilderFactory() {
>   DocumentBuilderFactory factory = 
> DocumentBuilderFactory.newInstance();
>   factory.setNamespaceAware(true);
>   try {
>   
> factory.setFeature("http://xml.org/sax/features/external-general-entities;, 
> false);
>   
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities;, 
> false);
>   }
>   catch (ParserConfigurationException e) {
>   throw new IllegalStateException(e);
>   }
>   return factory;
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Resolved] (AXIS2-5878) ValidateXMLFile.java:55 (XML External Entity Injection)

[Andreas Veithen (JIRA)]

 [ 
https://issues.apache.org/jira/browse/AXIS2-5878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen resolved AXIS2-5878.

Resolution: Invalid

This method is only used in a single place to validate XML entered by a user 
into a JTextArea. There is no security risk here.

> ValidateXMLFile.java:55 (XML External Entity Injection)
> ---
>
> Key: AXIS2-5878
> URL: https://issues.apache.org/jira/browse/AXIS2-5878
> Project: Axis2
>  Issue Type: Bug
>  Components: ide plugins
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
>  Labels: security
>
> XML parser configured in ValidateXMLFile.java:55 does not prevent nor limit 
> external entities resolution. This can expose the parser to an XML External 
> Entities attack.
> Proposed solution: Always disable external entities when creating a 
> DocumentBuilderFactory:
> {code:java}
>   public static DocumentBuilderFactory createDocumentBuilderFactory() {
>   DocumentBuilderFactory factory = 
> DocumentBuilderFactory.newInstance();
>   factory.setNamespaceAware(true);
>   try {
>   
> factory.setFeature("http://xml.org/sax/features/external-general-entities;, 
> false);
>   
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities;, 
> false);
>   }
>   catch (ParserConfigurationException e) {
>   throw new IllegalStateException(e);
>   }
>   return factory;
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5878) ValidateXMLFile.java:55 (XML External Entity Injection)

[Andreas Veithen (JIRA)]

 [ 
https://issues.apache.org/jira/browse/AXIS2-5878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Veithen updated AXIS2-5878:
---
Component/s: (was: jaxws)
 ide plugins

> ValidateXMLFile.java:55 (XML External Entity Injection)
> ---
>
> Key: AXIS2-5878
> URL: https://issues.apache.org/jira/browse/AXIS2-5878
> Project: Axis2
>  Issue Type: Bug
>  Components: ide plugins
>Affects Versions: 1.7.6
>Reporter: Donald Kwakkel
>Priority: Critical
>  Labels: security
>
> XML parser configured in ValidateXMLFile.java:55 does not prevent nor limit 
> external entities resolution. This can expose the parser to an XML External 
> Entities attack.
> Proposed solution: Always disable external entities when creating a 
> DocumentBuilderFactory:
> {code:java}
>   public static DocumentBuilderFactory createDocumentBuilderFactory() {
>   DocumentBuilderFactory factory = 
> DocumentBuilderFactory.newInstance();
>   factory.setNamespaceAware(true);
>   try {
>   
> factory.setFeature("http://xml.org/sax/features/external-general-entities;, 
> false);
>   
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities;, 
> false);
>   }
>   catch (ParserConfigurationException e) {
>   throw new IllegalStateException(e);
>   }
>   return factory;
>   }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Comment Edited] (AXIS2-5881) Small improvement to the listServices.jsp to sort services and operations

[Jeff Thomas (JIRA)]

[ 
https://issues.apache.org/jira/browse/AXIS2-5881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16158757#comment-16158757
 ] 

Jeff Thomas edited comment on AXIS2-5881 at 9/8/17 3:03 PM:


Here the patch file... hope I made it correctly  :) (original was 1.7.3).

Regarding comment #2... didn't want to rewrite the whole thing... just change 
up the hashmaps to do some sorting.




was (Author: jwt007):
Here the patch file... hope I made it correctly  :) (original was 1.7.3).



> Small improvement to the listServices.jsp to sort services and operations
> -
>
> Key: AXIS2-5881
> URL: https://issues.apache.org/jira/browse/AXIS2-5881
> Project: Axis2
>  Issue Type: Improvement
>Affects Versions: 1.7.3
>Reporter: Jeff Thomas
>Priority: Minor
> Attachments: listServices.jsp, listServices.jsp.patch
>
>
> One thing that has always bothered me about the "services/listServices.jsp" 
> was that it is not sorted ... which means scrolling around looking for the 
> service and/or operations.
> In our build I have updated the listServices.jsp with a few changes to sort 
> the output of services and operations... would just like to suggest the fix 
> be incorporated in the build. (see attachment).  Primarily I replaced the 
> HashMaps with ConcurrentSkipListMap to naturally sort by the keys 
> (ServiceName, OperationName)



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

[jira] [Updated] (AXIS2-5885) Generating apidocs fails with Java 8.

[JIRA]

 [ 
https://issues.apache.org/jira/browse/AXIS2-5885?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thorsten Schöning updated AXIS2-5885:
-
Attachment: AXIS2-5885 01.patch
AXIS2-5885 02.patch

I started to have a look at the individual errors Javadoc is complaining about 
and startet to fix at least some of them to get a feeling on how many errors 
Javadoc will complain about at all. Seems to be multiple hundreds, because it 
aborts with 100 errors/warnings always, even after I fixed dozens of those. And 
I'm pretty sure I did because I verified that the lines Javadoc was complaining 
about before were gone after I fixed those. It's always different lines with 
errors.

I'll attach what I've changed so far to not let it be a waste of time, but it 
seems it's too much to fix at once.

Two choices here: If "failOnError" is applied, build will succeed, but it's 
pretty likely that no one will ever fix all the remaining issues. If 
"failOnError" is not applied, pressure to fix the underlying problems will be 
there and maybe some people will correspond some fixes over time until 
everything is solved. But most likely they will only apply "failOnError" on 
their own? :-)

> Generating apidocs fails with Java 8.
> -
>
> Key: AXIS2-5885
> URL: https://issues.apache.org/jira/browse/AXIS2-5885
> Project: Axis2
>  Issue Type: Bug
>  Components: documentation
>Affects Versions: 1.8.0
> Environment: Windows 10 x86-64, JDK 1.8
>Reporter: Thorsten Schöning
>Priority: Minor
> Attachments: AXIS2-5885 01.patch, AXIS2-5885 02.patch
>
>
> The project "apidocs" can not be build by default using Java 8 because of a 
> lot of errors in the Javadocs and the new "javadoc" errors on those problems 
> instead of warning/ignoring them. A workaround is to add 
> "false" to the configuration, in that case the 
> errors are turned to warnings and the build succeeds.
> Most of the errors are pretty easy, like wrong HTML etc. and one just needs 
> to fix what and where "javadoc" says. But some errors are related to missing 
> packages and might be a hint to classpath issues or some problems with 
> available packages in the build?
> https://stackoverflow.com/questions/15886209/maven-is-not-working-in-java-8-when-javadoc-tags-are-incomplete
> {CODE}
> [ERROR] Exit code: 1 - C:\Users\tschoening\Documents\Eclipse\Java 
> Axis2\axis2\apidocs\target\distro-javadoc-sources\org.apache.axis2.osgi-1.8.0-SNAPSHOT-sources\org\apache\axis2\extensions\osgi\util\Logger.java:4:
>  error: package org.osgi.service.log does not exist
> [ERROR] import org.osgi.service.log.LogService;
> [ERROR] ^
> {CODE}
> {CODE}
> [ERROR] C:\Users\tschoening\Documents\Eclipse\Java 
> Axis2\axis2\apidocs\target\distro-javadoc-sources\axis2-adb-1.8.0-SNAPSHOT-sources\org\apache\axis2\databinding\ADBDataSource.java:44:
>  warning: no description for @param
> [ERROR] * @param xmlWriter
> [ERROR] ^
> {CODE}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

-
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org