There is a performance and security issue within the jbossws 1.0.4.GA stack. The org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler calls the org.jboss.util.StringPropertyReplacer for any content which is included in a soap request. This iscan this be turned off by some property? I wasn't aware that jbossxb is doing this ans AFAICS we don't want that behavior for SOAP payloads either.
a) a performance issue since the System.getProperties() method is more or less time consuming and
b) it is also a security issue since all the system properties set in the
jboss vm can be accessed with a simple soap request by just specify a
parameter according ${jboss.home} pattern, which is for example replaced
by the current value of the system property jboss.home .
The customer has raised some concerns regarding the replacement of
properties in the form ${property} in Soap messages.
Their first concern is it will be a performance hit, this is not true as
System.getProperty() is only called if there is a property found in the
message.
Their second concern is this means any message could be used to get
access to system properties.
Do we really need this switched on? I understand it is there for
reading configuration files but does it really apply to SOAP messages?
If it is not required we can just call
'schemaBinding.setReplacePropertyRefs(false);' in
'SchemaBindingBuilder'.
https://na1.salesforce.com/5003000000333Cb
Regards,
Darran Lofthouse.
-- xxxxxxxxxxxxxxxxxxxxxxxxxxxx Thomas Diesler Web Service Lead JBoss, a division of Red Hat xxxxxxxxxxxxxxxxxxxxxxxxxxxx