4 Replies Latest reply on Oct 4, 2011 3:14 AM by Thomas Chang

    What is Jboss WS Native?

    Thomas Chang Apprentice

      Hi all,

       

      recently I got information that there is a security leak by Jboss WS Native if you use the DOCTYPE [1]. One of my colleagues had wrote a WS which deployed on Jboss EAP 5.1.0 and works fine. He told me his WS dosen't use the Jboss WS Native. But after I've deleted all the Jboss WS Native components such as the jbossws-native-xxx.jar, the ../deploy/jbossws.sar and ../deployer/jbossws.deployer, the WS doesn't work. And I got "java.lang.ClassNotFoundException: org.jboss.ws.core.jaxws.spi.ProviderImpl"

       

      I wonder how to determine if a WS uses Jboss WS Native or not.

       

       

      [1] http://securitytracker.com/id/1026058

       

       

      Thomas

        • 1. Re: What is Jboss WS Native?
          Jim Ma Apprentice

          This security issue has been fixed in EAP 5.1.1 .

          • 2. Re: What is Jboss WS Native?
            Thomas Chang Apprentice

            1.

            Your answer is not to my question.

             

            2.

            So far I know, the problem is not fixed since Jboss just change the default setting to non-doctype. If you already used DOCTYPE in your WS in Jboss-WS-Native, you have to change to an other type such as xsd. But you can still use DOCTYPE but on your own risk.

            • 3. Re: What is Jboss WS Native?
              Alessio Soldano Master

              He told me his WS dosen't use the Jboss WS Native. But after I've deleted all the Jboss WS Native components such as the jbossws-native-xxx.jar, the ../deploy/jbossws.sar and ../deployer/jbossws.deployer, the WS doesn't work. And I got "java.lang.ClassNotFoundException: org.jboss.ws.core.jaxws.spi.ProviderImpl"

               

              I wonder how to determine if a WS uses Jboss WS Native or not.

               

               

              If the application server version you're using has the jbossws-native stack installed, any webservices app you deploy on the application server is using jbossws-native, unless you properly isolate the application and provides different webservices libraries in the deployment, so that the app can still work (but this is neither easy to do nor supported).

              As Jim mentioned, the security issue has been dealt with, make sure you're using the latest available EAP product version. Also consider switching to the JBossWS-CXF stack / EAP version.

              • 4. Re: What is Jboss WS Native?
                Thomas Chang Apprentice

                But I see my colleague have deleted the pakage "jbossws.sar" under /deploy/ and the "jbossws-framework.jar" under /jbossws.deployer. Does this mean enough that his application doesn't use Jboss-WS-Native?

                 

                I think my colleague does use a separated classloader for loading his own jars. But seems still use some of the jbossws-native-xxx.jar.

                 

                Besdies, we use maven for compiling and deploy. One can include all the non-jbossws jars as dependencies in the WAR. I see there is an advantage to this since the application is independent from Jboss and one can deploy this to othe app-server auch as WebLogic. Right?