[jbossws-dev] Re: Property Replacement in Messages - (Case escalates at 23:00 CET today)
Darran Lofthouse
dlofthouse at redhat.com
Tue Feb 13 06:37:49 EST 2007
Yes it can be turned off with: -
> > 'schemaBinding.setReplacePropertyRefs(false);' in
> > 'SchemaBindingBuilder'
Regards,
Darran Lofthouse.
On Tue, 2007-02-13 at 12:32 +0100, Thomas Diesler wrote:
> Alex,
>
> There is a performance and security issue within the jbossws
> 1.0.4.GA stack. The
> org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler
> calls the org.jboss.util.StringPropertyReplacer for any
> content which is included in a soap request. This is
> a) a performance issue since the System.getProperties() method
> is more or less time consuming and
> b) it is also a security issue since all the system properties
> set in the
> jboss vm can be accessed with a simple soap request by just
> specify a
> parameter according ${jboss.home} pattern, which is for
> example replaced
> by the current value of the system property jboss.home .
>
> can this be turned off by some property? I wasn't aware that jbossxb
> is doing this ans AFAICS we don't want that behavior for SOAP payloads
> either.
>
> cheers
> -thomas
>
> Darran Lofthouse wrote:
> > The customer has raised some concerns regarding the replacement of
> > properties in the form ${property} in Soap messages.
> >
> > Their first concern is it will be a performance hit, this is not true as
> > System.getProperty() is only called if there is a property found in the
> > message.
> >
> > Their second concern is this means any message could be used to get
> > access to system properties.
> >
> > Do we really need this switched on? I understand it is there for
> > reading configuration files but does it really apply to SOAP messages?
> >
> > If it is not required we can just call
> > 'schemaBinding.setReplacePropertyRefs(false);' in
> > 'SchemaBindingBuilder'.
> >
> > https://na1.salesforce.com/5003000000333Cb
> >
> > Regards,
> > Darran Lofthouse.
> >
> >
>
> --
> xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Thomas Diesler
> Web Service Lead
> JBoss, a division of Red Hat
> xxxxxxxxxxxxxxxxxxxxxxxxxxxx
More information about the jbossws-dev
mailing list