Bug 1028865

Summary: The fix for CVE-2012-2379 introduced a new deployment issue to JBoss WS CXF
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Tadayoshi Sato <tasato>
Component: JBossWSAssignee: Julian Coleman <jcoleman>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.3.1CC: aneelica, djorm, nwallace, pavelp, ppecka, rwagner, soa-p-jira
Target Milestone: GA   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-26 04:09:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 826534    
Bug Blocks: 1073034    
Attachments:
Description Flags
reproducer (ws impl)
none
reproducer (wsdl) none

Description Tadayoshi Sato 2013-11-11 05:32:00 UTC 
CVE-2012-2379 (BZ-826534) seems to have introduced the following issue to SOA-P 5.3.1.

Given we have the following web service:

@WebService(... wsdlLocation = "classpath:/greeting.wsdl")
public class GreetingServiceImpl implements GreetingService {
  ...

and we have separate packages for the web service impl and WSDL, say, example-ws.war and example-wsdl.jar, deploying example-wsdl.jar to $PROFILE/lib (or $JBOSS_HOME/jboss-as/common/lib) and then example-ws.war to $PROFILE/deploy leads to the following error at deployment time.

org.jboss.deployers.spi.DeploymentException: Error during deploy: vfszip:/opt/jboss-soa-p-5.3.1-cxf/jboss-as/server/default/deploy/example-ws.war/
	at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
	at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:185)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1454)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1172)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1113)
	at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)
	at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1652)
	at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:938)
	at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)
	at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:988)
	at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:826)
	at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:556)
	at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:789)
	at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:699)
	at org.jboss.system.server.profileservice.repository.MainDeployerAdapter.process(MainDeployerAdapter.java:117)
	at org.jboss.system.server.profileservice.hotdeploy.HDScanner.scan(HDScanner.java:409)
	at org.jboss.system.server.profileservice.hotdeploy.HDScanner.run(HDScanner.java:294)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:304)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:178)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: java.io.IOException: Could not find classpath:/greeting.wsdl in the additional metadatafiles!
	at org.jboss.wsf.stack.cxf.DescriptorDeploymentAspect.checkCVE20122379(DescriptorDeploymentAspect.java:267)
	at org.jboss.wsf.stack.cxf.DescriptorDeploymentAspect.create(DescriptorDeploymentAspect.java:83)
	at org.jboss.wsf.framework.deployment.DeploymentAspectManagerImpl.deploy(DeploymentAspectManagerImpl.java:115)
	at org.jboss.wsf.container.jboss50.deployer.ArchiveDeployerHook.deploy(ArchiveDeployerHook.java:76)
	at org.jboss.wsf.container.jboss50.deployer.AbstractWebServiceDeployer.internalDeploy(AbstractWebServiceDeployer.java:60)
	at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:55)
	at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:179)
	... 22 more
Caused by: java.io.IOException: Could not find classpath:/greeting.wsdl in the additional metadatafiles!
	at org.jboss.wsf.framework.deployment.ResourceResolverImpl.resolve(ResourceResolverImpl.java:121)
	at org.jboss.wsf.stack.cxf.DescriptorDeploymentAspect.checkCVE20122379(DescriptorDeploymentAspect.java:261)
	... 28 more
Comment 1 Tadayoshi Sato 2013-11-11 05:34:48 UTC 
Created attachment 822275 [details]
reproducer (ws impl)
Comment 2 Tadayoshi Sato 2013-11-11 05:35:44 UTC 
Created attachment 822276 [details]
reproducer (wsdl)
Comment 6 JBoss JIRA Server 2013-11-26 14:36:06 UTC 
R Searls <rsearls> updated the status of jira JBPAPP-10903 to Coding In Progress
Comment 7 JBoss JIRA Server 2013-12-04 13:14:44 UTC 
R Searls <rsearls> made a comment on jira JBPAPP-10903

Fix made in https://svn.jboss.org/repos/jbossws/framework/branches/jbossws-framework-3.1.2
File changed: src/main/java/org/jboss/wsf/framework/deployment/ResourceResolverImpl.java
Change diff see attachment.
Comment 8 JBoss JIRA Server 2013-12-04 13:18:25 UTC 
R Searls <rsearls> updated the status of jira JBPAPP-10903 to Resolved
Comment 10 Rick Wagner 2014-04-22 17:28:44 UTC 
Hi Neil,

I'll do it now.  So long as we have the code, I don't think it matters who advances the BZ.  

Thanks,

Rick
Comment 11 ppecka 2014-05-28 14:28:24 UTC 
Issue has been VERIFIED with bits from BZ1073034