axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <dava...@gmail.com>
Subject Re: [Axis2][1.4.1] Nandana as Release Manager (Re: Security hole in Axis2 1.4 + Rampart 1.4)
Date Mon, 07 Jul 2008 13:11:39 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exactly what i was afraid of :( Sigh! this is a *very* slippery slope.

- -- dims

Amila Suriarachchi wrote:
| On Mon, Jul 7, 2008 at 6:03 PM, Davanum Srinivas <davanum@gmail.com> wrote:
|
|> Nandana,
|>
|> +1 from me for you to be the Release Manager for 1.4.1
|
|
| + 1 from me.
|
|>
|> IMHO, we should use 1.4 branch. The *ONLY* change should be the
|> security change. Nothing more.
|
| I think we need to fix any possible other critical issues as well.
| eg. https://issues.apache.org/jira/browse/AXIS2-3870
| This is a memory leak and we need to fix this.
|
| thanks,
| Amila.
|
|
|
|>
|> thanks,
|> dims
|>
|> On Mon, Jul 7, 2008 at 6:50 AM, Nandana Mihindukulasooriya
|> <nandana.cse@gmail.com> wrote:
|>> I would like to volunteer to be the release manager for Axis2 1.4.1.
|>>
|>> I think we can fix the critical issues in the 1.4 branch (or a 1.4.1
|> branch
|>> ) and do the 1.4.1 release. I don't think doing 1.4.1 from the trunk is
|> the
|>> appropriate way as trunk is now java 1.5 and has lot of major changes
|> after
|>> Axis2 1.4 . However we can fix any issues that are not already fixed in
|> the
|>> trunk at the same time when we fix those in the branch.
|>>
|>> Hope this is oky with Axis2 release guidelines.
|>>
|>> thanks,
|>> nandana
|>>
|>> On Tue, Jul 1, 2008 at 6:39 PM, Davanum Srinivas <davanum@gmail.com>
|> wrote:
|>>> IMHO, The logic is the same as for blockers. If there is a work
|>>> around, it's not a blocker. So i am +0 on a 1.4.1 since there is a
|>>> work around that can be documented.
|>>>
|>>> That said, If someone is willing to drive a 1.4.1 as the release
|>>> manager, please do go ahead.
|>>>
|>>> thanks,
|>>> dims
|>>>
|>>> On Tue, Jul 1, 2008 at 2:48 AM, Sanka Samaranayake <ssanka@gmail.com>
|>>> wrote:
|>>>> Hi,
|>>>>
|>>>> For the users who is already using 1.4 version, the workaround would
|> be
|>>>> to
|>>>> define policies in services.xml without using <wsa:PolicyAttachment>.
|>>>> Then
|>>>> the problem is that those policies will appear in <wsdl:PortType>
|> which
|>>>> is
|>>>> not correct but security will apply for both format of service URLs.
|>>>>
|>>>> Hence +1 for fixing that issue and do 1.4.1 release.
|>>>>
|>>>> Thanks,
|>>>> Sanka
|>>>>
|>>>>
|>>>> On Mon, Jun 30, 2008 at 8:59 PM, Nandana Mihindukulasooriya
|>>>> <nandana.cse@gmail.com> wrote:
|>>>>> Hi,
|>>>>>    There are few issues with Axis2 1.4 / Rampart 1.4 with the new
|>>>>> policy
|>>>>> configuration. The new policy configuration which allows us to apply
|>>>>> policies to binding hierarchy is a great feature when in comes to ws
|>>>>> security policy configuration. It allows security policies to be
|>>>>> attached to
|>>>>> the correct attachment points. But there are few issues that need to
|> be
|>>>>> fixed in Axis2 1.4. I will list them below.
|>>>>>     1.) If we configure security using new configuration, service can
|>>>>> be
|>>>>> accessed without security.
|>>>>>          In Axis2 1.4, a service is exposed in two EPRs (consider
|> SOAP
|>>>>> 1.1
|>>>>> binding).
|>>>>>            eg.
|>>>>>
|>>>>>
|>>>>>
|> http://localhost:8080/axis2/services/SecureService.SecureServiceHttpSoap11Endpoint
|>>>>>                http://localhost:8080/axis2/services/SecureService
|>>>>>           But if we you set the policies using the new configuration,
|>>>>> if
|>>>>> you do a web service call to the older EPR, you can access the
|> service
|>>>>> without any security even though it is secured using the binding
|>>>>> hierarchy.
|>>>>> This happens because if we call the old EPR, it is not dispatched to
|> a
|>>>>> binding. But this leaves the service vulnerable. I think we should
|>>>>> dispatch
|>>>>> to one of the bindings may be using soap envelope version if we have
|>>>>> only
|>>>>> one binding with that soap version. We should have a way to dispatch
|>>>>> messages which comes to old EPR to one of the bindings else we should
|>>>>> have
|>>>>> an option to disable that EPR.
|>>>>>
|>>>>>     2.) In the out flow, policies are not set correctly in the
|> binding
|>>>>> message.
|>>>>>           This is fixed in the trunk but this bug is there in Axis2
|>>>>> 1.4.
|>>>>>
|>>>>>    So the option we have is to configure security using the old
|>>>>> configuration. But then the problem is policies are attached to the
|>>>>> port
|>>>>> type which is the correct way to do if we have policies using
|>>>>> <service>,<operation><message> tags. But this makes
Axis2 not
|>>>>> interoperable
|>>>>> as security policies should be attached to binding hierarchy
|> according
|>>>>> WS
|>>>>> Security policy specification. Ideally we should always use the new
|>>>>> configuration to apply security. And code generation also doesn't
|> work
|>>>>> correctly when the policies attached to the port type (polices are
|> not
|>>>>> correctly attached to the stub).
|>>>>>
|>>>>>    So I think it would be great if can consider a Axis2 1.4.1 with
|>>>>> these
|>>>>> things fixed.
|>>>>>
|>>>>> thanks,
|>>>>> nandana
|>>>>
|>>>> --
|>>>> Sanka Samaranayake
|>>>> WSO2 Inc.
|>>>>
|>>>> http://sankas.blogspot.com/
|>>>> http://www.wso2.org/
|>>>
|>>>
|>>> --
|>>> Davanum Srinivas :: http://davanum.wordpress.com
|>>>
|>>> ---------------------------------------------------------------------
|>>> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
|>>> For additional commands, e-mail: axis-dev-help@ws.apache.org
|>>>
|>
|>
|> --
|> Davanum Srinivas :: http://davanum.wordpress.com
|>
|> ---------------------------------------------------------------------
|> To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
|> For additional commands, e-mail: axis-dev-help@ws.apache.org
|>
|>
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFIchYLgNg6eWEDv1kRAo7lAKDKyTiR50/aWOSuc9d7pVPHQPUoeACgkg+A
sQpm1+6vbyVf0CMQkT1aYXI=
=hpVj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-dev-help@ws.apache.org


Mime
View raw message