March 31, 2009 Leave a comment
Few days back when I was trying to secure an Axis2 JAXWS service, I found a serious issue in the current JAXWS implementation in Axis2 trunk. Basically a JAXWS services can’t be used with any module which involves policies (ex: security) at all. This is because the WSDL of a JAXWS service doesn’t show the policies engaged in the service. This scenario is omitted thinking that a JAXWS service is not used with policies as it is only an annotated java class. But policies can be included and modules can be engaged into any service programatically. In such cases this is a serious issue.
For normal Axis2 services, WSDL is generated by looking at the AixsService object which contains everything about the service. In the current JAXWS implementation, WSDL is generated through a separate WSDLSupplier. It doesn’t use the AxisService object at all. This is why the policies are not shown in the generated WSDL. If someone programatically adds a policy into a JAXWS service, this policy is not shown in the WSDL when ?wsdl is called. Therefore a client won’t be able to invoke this service.
In JAXWS service deployment, there are 2 cases
In case 1, AxisService is built using WSDL11ToAxisServiceBuilder. Therefore in this case, WSDL can be generated in the normal way without using this WSDLSupplier. But in case 2, AxisService object doesn’t contain a schema in it and the WSDL can’t be generated in the normal way. That’s why this WSDLSupplier is used.
In order to fix this issue in case 2, I’ve generated the WSDL from this WSDLSupplier in the deployment time and then used the WSDL11ToAxisServiceBuilder to build the AxisService. Therefore we don’t want this WSDLSupplier (when ?wsdl is called) in both the above cases and policies are shown in the WSDL properly.
I’ve added a parameter into axis2.xml as “useGeneratedWSDLinJAXWS”. By default it is false and the behavior is exactly as it was before this fix. If it is set to true, this new behavior is turned on and the WSDLSupplier is not registered. WSDL is generated in the normal way by looking at the AxisService object. Therefore, if someone needs to add policies into a JAXWS service, this behaviour can be used.
I created a JIRA for this and attached the patch last week and committed it into trunk yesterday. Now the fix is available in trunk.