We are running security tests on our Axis2 1.6.2 web services. It has
been pointed out that we have an OWASP information leakage and I'm
trying to figure out how to solve this. We intercept the SOAP request
and java.xml.stream.XMLSt
reamException: DOCTYPE is not allowed
I'm trying to gather i
Scott,
If you have access to the service one option is..
On the service side, catch the exception, extract the information you need and
return an object so it goes through the regular "OutFlow" phase instead of the
"FaultFlow"
If you don't have access to the service ..
Can you add a handler on
Brando,
It is our service so we have access to the service code, what I'm not
getting is catching the exception. Can you point me to some examples?
Thanks,
Scott
From: Arguello, Brando [mailto:brando.argue...@gdc4s.com]
Sent: Wednesday, November 26, 2014 10:31 AM
To: java-user@axi
Scott,
What OWASP seems to be flagging is the
"java.xml.stream.XMLStreamException:"
In your service..
theObjectYourMethodReturns yourMethod(.) {
try {
The implementation
} catch (The exception e) {
Log exception..
return theObjectYourMethodReturns.setExceptionReason(e.getMess
Brando,
Thank You!!!
I was going to deep on this, thinking I needed to override the message
listeners.
Regards,
Scott
From: Arguello, Brando [mailto:brando.argue...@gdc4s.com]
Sent: Wednesday, November 26, 2014 10:55 AM
To: java-user@axis.apache.org
Subject: RE: How to Solve Ax
Brando,
Just tried your solution I added an exception around the business logic
of the method and I still get the same response. Any other suggestions?
Regards,
Scott
http://www.w3.org/2003/05/soap-envelope";
xmlns:ser="http://service.web.datamentors.com";>
1)DTDs not been supported by axis for at least 10 years and any/all attempts to
implement DTDs will
fubar your axis default installation
you *can* install your own incoming/outgoing message receivers in the
messageReceivers in axis2.xml
http://www.w3.org/2004/08/wsdl/in-only";
Martin,
I've enabled DEBUG logging for Axis2, I can see the DOCTYPE is not
allowed. So as you suggest, I need to create my own message listener to
trap this AxisFault with the XMLStreamReader?
Thanks,
Scott
[#|2014-11-26T12:59:39.048-0500|INFO|glassfish3.1.2|javax.enterprise.sys
AXIS-2.1.5 wsdl2java will handle which XMLReader you will
implement..here is doc:
org.apache.axis2.wsdl.WSDL2Java --helpUsage: WSDL2Java [options] -uri : A url or path to a WSDL
where [options] include: -o Specify a directory path for
the generated code. -a
