Bug 1031590 - missing validation of wsdl-host attribute
missing validation of wsdl-host attribute
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Services (Show other bugs)
6.2.0
Unspecified Unspecified
medium Severity high
: DR0
: EAP 6.3.0
Assigned To: Alessio Soldano
Rostislav Svoboda
Russell Dickenson
:
Depends On: 1007484
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-18 06:04 EST by Petr Sakař
Modified: 2014-06-28 11:30 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1007484
Environment:
Last Closed: 2014-06-28 11:30:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
deployment (war with webservice) (4.11 KB, application/x-webarchive)
2014-02-17 06:51 EST, Petr Sakař
no flags Details

  None (edit)
Comment 1 Petr Sakař 2013-11-18 06:06:43 EST
actually step 2 deploy war with webservice is not required as ws sybsystem is activated by default.
Comment 3 Petr Sakař 2014-02-17 06:49:41 EST
CLI command:

jboss-eap-6.3/bin/jboss-cli.sh -c 'deploy '

jboss-eap-6.3/bin/jboss-cli.sh -c '/subsystem=webservices/:write-attribute(name=wsdl-host,value="1.1.1.1.1")'

Result:
{
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
    }
}

Reload is successful but retrieval of WSDL from url http://localhost:8080/CLIWebservicesWsdlPortIT/AnnotatedSecurityService results in returned
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Fault occurred while processing.</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>

and server side exception

12:41:38,727 INFO  [org.jboss.as.server] (Controller Boot Thread) JBAS018559: Deployed "CLIWebservicesWsdlPortIT.war" (runtime-name : "CLIWebservicesWsdlPortIT.war")
12:41:38,730 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
12:41:38,730 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
12:41:38,730 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss EAP 6.3.0.Alpha1 (AS 7.4.0.Final-redhat-0) started in 297ms - Started 180 of 240 services (59 services are passive or on-demand)
12:43:57,682 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-/127.0.0.1:8080-1) Interceptor for {http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy}AnnotatedSecurityService has thrown exception, unwinding now: java.lang.NullPointerException
	at org.apache.cxf.service.factory.SimpleMethodDispatcher.getMethod(SimpleMethodDispatcher.java:97)
	at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:129)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [rt.jar:1.7.0_51]
	at java.util.concurrent.FutureTask.run(FutureTask.java:262) [rt.jar:1.7.0_51]
	at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
	at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:92)
	at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:143)
	at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
	at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.2.2.Final-redhat-1.jar:2.2.2.Final-redhat-1]
Comment 4 Petr Sakař 2014-02-17 06:51:12 EST
Created attachment 864070 [details]
deployment (war with webservice)
Comment 5 Petr Sakař 2014-02-19 05:09:02 EST
comment#4 is not correct. Correct description is:

1. User is able to set invalid IPv4/v6 address  (eg. 1.1.1.1.1, ::, 1::) 

2. WSDL is correctly produced using http://localhost:8080/CLIWebservicesWsdlPortIT/AnnotatedSecurityService?wsdl

3. Accessing url http://localhost:8080/CLIWebservicesWsdlPortIT/AnnotatedSecurityService results in returned
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>Fault occurred while processing.</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>

and server side exception

12:41:38,727 INFO  [org.jboss.as.server] (Controller Boot Thread) JBAS018559: Deployed "CLIWebservicesWsdlPortIT.war" (runtime-name : "CLIWebservicesWsdlPortIT.war")
12:41:38,730 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015961: Http management interface listening on http://127.0.0.1:9990/management
12:41:38,730 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
12:41:38,730 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss EAP 6.3.0.Alpha1 (AS 7.4.0.Final-redhat-0) started in 297ms - Started 180 of 240 services (59 services are passive or on-demand)
12:43:57,682 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-/127.0.0.1:8080-1) Interceptor for {http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy}AnnotatedSecurityService has thrown exception, unwinding now: java.lang.NullPointerException
	at org.apache.cxf.service.factory.SimpleMethodDispatcher.getMethod(SimpleMethodDispatcher.java:97)
	at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:129)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [rt.jar:1.7.0_51]
	at java.util.concurrent.FutureTask.run(FutureTask.java:262) [rt.jar:1.7.0_51]
	at org.apache.cxf.workqueue.SynchronousExecutor.execute(SynchronousExecutor.java:37) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:106) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.7.redhat-1.jar:2.7.7.redhat-1]
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
	at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:92)
	at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:143)
	at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:211)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:734) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
	at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
	at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.2.2.Final-redhat-1.jar:2.2.2.Final-redhat-1]
Comment 6 Petr Sakař 2014-02-19 05:24:39 EST
Another correction:

Validation of 1.1.1.1.1 is successfull as it is considered as hostname.
1:: and :: are valid IPv6 addresses

So the only problem is NPE
Comment 7 Alessio Soldano 2014-02-19 05:36:09 EST
As mentioned to Petr on IRC, the NPE is really a side issue here, related to sending a HTTP GET request to the endpoint location which is meant to process POST requests only. It's not really a problem besides for the possibly misleading error in the log.
In any case this NPE thing is being solved in next EAP 6.3 DR1.
So this BZ is solved from my point of view.
Comment 8 Petr Sakař 2014-02-27 04:25:12 EST
verified NPE not thrown any more
verified validation in CLI
verified validation in CLI GUI (beware of current bug in GUI when value is not enclosed in quotes)

Note You need to log in before you can comment on or make changes to this bug.