请求在soap Header元素中包含无效字符时,如何在SOAP Web服务中捕获MessageCreationException

时间:2019-02-14 19:29:38

标签: java xml soap

我有一个肥皂服务,我的公司说我必须防止XML注入。  他们已将此请求发送为测试:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:beac="http://www.mycompany.com/04/02/2010/V1.0/myWebService.xsd">

   <soapenv:Header>]]&gt;&gt;&lt;</soapenv:Header>
   <soapenv:Body>
      <beac:myRequest>
         <beac:isMyParam>true</beac:isMyParam>
      </beac:myRequest>
   </soapenv:Body>
</soapenv:Envelope>

我的服务正在返回此响应:

HTTP/1.1 500 Internal Server Error
Date: Thu, 14 Feb 2019 18:59:17 GMT
Transfer-Encoding: chunked
Content-Type: text/xml; charset=utf-8
X-Powered-By: Servlet/2.5 JSP/2.1

<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"><faultcode>S:Client</faultcode><faultstring>Couldn't create SOAP message due to exception: XML reader error: unexpected character content: "]]&gt;&gt;&lt;"</faultstring></S:Fault></S:Body></S:Envelope>

此异常记录在服务器日志中:

Feb 14, 2019 1:59:17 PM com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit handle
SEVERE: Couldn't create SOAP message due to exception: XML reader error: unexpected character content: "]]>><"
com.sun.xml.ws.protocol.soap.MessageCreationException: Couldn't create SOAP message due to exception: XML reader error: unexpected character content: "]]>><"
	at com.sun.xml.ws.encoding.SOAPBindingCodec.decode(SOAPBindingCodec.java:295)
	at com.sun.xml.ws.transport.http.HttpAdapter.decodePacket(HttpAdapter.java:294)
	at com.sun.xml.ws.transport.http.HttpAdapter.access$500(HttpAdapter.java:102)
	at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:519)
	at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:253)
	at com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:140)
	at weblogic.wsee.jaxws.WLSServletAdapter.handle(WLSServletAdapter.java:171)
	at weblogic.wsee.jaxws.HttpServletAdapter$AuthorizedInvoke.run(HttpServletAdapter.java:708)
	at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
	at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
	at weblogic.wsee.util.ServerSecurityHelper.authenticatedInvoke(ServerSecurityHelper.java:103)
	at weblogic.wsee.jaxws.HttpServletAdapter$3.run(HttpServletAdapter.java:311)
	at weblogic.wsee.jaxws.HttpServletAdapter.post(HttpServletAdapter.java:336)
	at weblogic.wsee.jaxws.JAXWSServlet.doRequest(JAXWSServlet.java:99)
	at weblogic.servlet.http.AbstractAsyncServlet.service(AbstractAsyncServlet.java:99)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
	at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
	at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
	at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:184)
	at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3732)
	at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
	at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
	at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
	at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
	at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
	at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
	at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
	at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: com.sun.xml.ws.streaming.XMLStreamReaderException: XML reader error: unexpected character content: "]]>><"
	at com.sun.xml.ws.streaming.XMLStreamReaderUtil.nextElementContent(XMLStreamReaderUtil.java:102)
	at com.sun.xml.ws.encoding.StreamSOAPCodec.decode(StreamSOAPCodec.java:229)

在这种情况下,我需要返回http状态代码400。为了防止在请求参数中进行这种XML注入,我使用了@SchemaValidation(handler = MyValidationHandler.class)并在.xsd文件中添加了限制。在MyValidationHandler中,我可以在Packet中设置一个指示请求无效的属性,然后在端点中,如果看到该属性,则可以从MessageContext访问HttpServletResponse并告诉它sendError 400。无效的文本放置在soap标头中,因为该异常未传递给MyValidationHandler。当soapenv:Envelope元素中包含无效文本时,我有同样的问题。如何添加一个ErrorHandler来捕获此级别的异常并允许我指定将返回的http响应代码?

0 个答案:

没有答案
相关问题
最新问题