Ticket #504 (closed task: fixed)

Opened 13 years ago

Last modified 12 years ago

[S] Security Web Service HTTP GET Request accesses hard coded WSDL path

Reported by: pjkersha Owned by: pjkersha
Priority: desirable Milestone: PreBeta
Component: security Version:
Keywords: Security, ZSI, WSDL Cc:

Description

This affects the Security Web service launch scripts:

  • AttAuthorityServer.py
  • SessionMgrServer.py
  • GatekeeperServer.py
  • LogServer.py

In each case a derived class of SOAPRequestHandler enables custom behaviour for HTTP GET and POST actions. GET is set up as a convenience so that if a user enters the port address for the service in a browser, the WSDL file is displayed. However, the WSDL file path given is hard coded. Service Provider sites deploying these services need to change this in order to pick up the correct path for the WSDL.

GET requests are not essential to the operation of the web service so this is a minor bug. Also, ZSI will be upgraded to version >= 2.0rc2 which may mean that the way this code is handled is different.

Change History

comment:1 Changed 13 years ago by pjkersha

  • Status changed from new to assigned

comment:2 Changed 13 years ago by selatham

  • Component changed from T01_Discovery to T12_Security

comment:3 Changed 13 years ago by pjkersha

Fix this bug in line with future upgrade to ZSI 2.0_rc2.

ZSI 2.0 wsdl2py generation code incorporates the content of the WSDL into a string variable so it should be easy to modify code to handle GET requests by returning this string

comment:4 Changed 12 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed

New code based on ZSI 2.0_rc3 and Twisted doesn't have this bug. Get requests are not supported but Twisted gives a sensible error message back to a browser client when invoked in this way.

Note: See TracTickets for help on using tickets.