[jbossws-dev] Re: Property Replacement in Messages - (Case escalates at 23:00 CET today)

> 'schemaBinding.setReplacePropertyRefs(false);' in > 'SchemaBindingBuilder'

Alex, There is a performance and security issue within the jbossws 1.0.4.GA stack. The org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler calls the org.jboss.util.StringPropertyReplacer for any content which is included in a soap request. This is a) a performance issue since the System.getProperties() method is more or less time consuming and b) it is also a security issue since all the system properties set in the jboss vm can be accessed with a simple soap request by just specify a parameter according ${jboss.home} pattern, which is for example replaced by the current value of the system property jboss.home . can this be turned off by some property? I wasn't aware that jbossxb is doing this ans AFAICS we don't want that behavior for SOAP payloads either. cheers -thomas Darran Lofthouse wrote: > The customer has raised some concerns regarding the replacement of > properties in the form ${property} in Soap messages. > > Their first concern is it will be a performance hit, this is not true as > System.getProperty() is only called if there is a property found in the > message. > > Their second concern is this means any message could be used to get > access to system properties. > > Do we really need this switched on? I understand it is there for > reading configuration files but does it really apply to SOAP messages? > > If it is not required we can just call > 'schemaBinding.setReplacePropertyRefs(false);' in > 'SchemaBindingBuilder'. > > https://na1.salesforce.com/5003000000333Cb > > Regards, > Darran Lofthouse. > > -- xxxxxxxxxxxxxxxxxxxxxxxxxxxx Thomas Diesler Web Service Lead JBoss, a division of Red Hat xxxxxxxxxxxxxxxxxxxxxxxxxxxx