<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<tt>Fixed in jbossws-1.2.0</tt><br>
<br>
Darran Lofthouse wrote:
<blockquote cite="mid1171366669.4426.15.camel@localhost.localdomain"
type="cite">
<pre wrap="">Yes it can be turned off with: -
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">'schemaBinding.setReplacePropertyRefs(false);' in
'SchemaBindingBuilder'
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->
Regards,
Darran Lofthouse.
On Tue, 2007-02-13 at 12:32 +0100, Thomas Diesler wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Alex,
There is a performance and security issue within the jbossws
1.0.4.GA stack. The
org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler
calls the org.jboss.util.StringPropertyReplacer for any
content which is included in a soap request. This is
a) a performance issue since the System.getProperties() method
is more or less time consuming and
b) it is also a security issue since all the system properties
set in the
jboss vm can be accessed with a simple soap request by just
specify a
parameter according ${jboss.home} pattern, which is for
example replaced
by the current value of the system property jboss.home .
can this be turned off by some property? I wasn't aware that jbossxb
is doing this ans AFAICS we don't want that behavior for SOAP payloads
either.
cheers
-thomas
Darran Lofthouse wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The customer has raised some concerns regarding the replacement of
properties in the form ${property} in Soap messages.
Their first concern is it will be a performance hit, this is not true as
System.getProperty() is only called if there is a property found in the
message.
Their second concern is this means any message could be used to get
access to system properties.
Do we really need this switched on? I understand it is there for
reading configuration files but does it really apply to SOAP messages?
If it is not required we can just call
'schemaBinding.setReplacePropertyRefs(false);' in
'SchemaBindingBuilder'.
<a class="moz-txt-link-freetext" href="https://na1.salesforce.com/5003000000333Cb">https://na1.salesforce.com/5003000000333Cb</a>
Regards,
Darran Lofthouse.
</pre>
</blockquote>
<pre wrap="">--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thomas Diesler
Web Service Lead
JBoss, a division of Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thomas Diesler
Web Service Lead
JBoss, a division of Red Hat
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
</pre>
</body>
</html>