This week's book giveaway is in the Testing forum.
We're giving away four copies of The Way of the Web Tester: A Beginner's Guide to Automating Tests and have Jonathan Rasmusson on-line!
See this thread for details.
Win a copy of The Way of the Web Tester: A Beginner's Guide to Automating Tests this week in the Testing forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Security - info leak: fault not triggering handler in axis2

Randall Vasquez
Posts: 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi a customer has deemed our application as not being secure.
For the following reason:
Accidental leaking of sensitive information/component name.
Descriptive error messages may reveal information about an application or its services.

We found that when sending an empty namespace within a soap envelope the AxisServlet throws a fault.
Partial Request (soap message)

<Envelope xmlns:soapenv="" ...>

Patial Response Returned:
<faultstring>com.ctc.wstx.exc.WstxParsingException: Non-default namespace can not map to empty URI (as per Namespace 1.0 # 2) in XML 1.0 documents
at [row,col {unknown-source}]: [1,26]</faultstring>

Having the com.ctc.wstx.exc.WstxParsingException is what is triggering the security issue.

I created a handler to simply change the faultstring and placed it in the InFaultFlow and OutFaultFlow but it did not seem to be called under this circumstance.
I then attempted to include the handler in every flow and just check for envelope.hasFault().
This still did not trigger any instance of the handler in this case.

Further debugging of the axis2 source it seems that a parsing exception occurs while trying to create the document and is caught by the processHTTPPostRequest that is handled by the AxisServlet and bypasses any handlers.

I have put the handler definitions in the axis2.xml after the comments that say users can add handlers here.
The handlers are also triggered when there is a problem within the soap message however not in this case where the envelope namespace is empty.

I think I'm doing everything correctly.
Is there a way to handle this without extending the axis2 servlet or any of its components ?

  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic