Loading ...
Sorry, an error occurred while loading the content.
 

BUG! mod_perl and SOAP::Lite

Expand Messages
  • supertux1
    Hi, I think I ve found a bug in SOAP::Lite that prevents it from working under mod_perl. For this configuration, my mod_perl and apache version is 1.3.27 --
    Message 1 of 2 , Aug 5 1:19 PM
      Hi,

      I think I've found a bug in SOAP::Lite that prevents it from
      working under mod_perl.

      For this configuration, my mod_perl and apache version is
      1.3.27 -- the absolute latest at the time of this message.
      SOAP::Lite is .55

      Here is my soap server (soap3.cgi):

      #!/usr/bin/perl -w
      use SOAP::Transport::HTTP;
      SOAP::Transport::HTTP::CGI->dispatch_to(@INC)->handle;

      Here is the client:

      #!/usr/bin/perl -w

      use SOAP::Lite;

      my $soap = SOAP::Lite
      ->uri('https://127.0.0.1/UWDS/WSTest')
      ->proxy('https://127.0.0.1/basic/soap3.cgi')
      ->on_debug( sub { print @_; } );

      my $result = $soap->Test(data=>"Jeremy");

      unless ($result->fault) {
      print $result->result() . "\n";
      } else {
      print join ', ',
      $result->faultcode,
      $result->faultstring;
      }

      sub SOAP::Transport::HTTP::Client::get_basic_credentials {
      return 'TestUser1' => 'blah';
      }

      UWDS::Test is a module installed in the system, in @INC.

      The first few times it runs, it works fine:

      <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-
      ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-
      ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
      xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
      xmlns:xsd="http://www.w3.org/1999/XMLSchema"><SOAP-
      ENV:Body><namesp1:TestResponse
      xmlns:namesp1="https://wrath.doit.wisc.edu/UWDS/WSTest"><s-gensym3
      xsi:type="xsd:string">Hello World, Hello Jeremy</s-
      gensym3></namesp1:TestResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
      Hello World, Hello Jeremy

      After 3-4 times it starts to fail:

      <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-
      ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-
      ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
      xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"
      xmlns:xsd="http://www.w3.org/1999/XMLSchema"><SOAP-ENV:Body><SOAP-
      ENV:Fault><faultcode xsi:type="xsd:string">SOAP-
      ENV:Client</faultcode><faultstring xsi:type="xsd:string">Denied
      access to method (Test) in class (UWDS::WSTest)
      at /usr/lib/perl5/site_perl/5.6.1/SOAP/Lite.pm line 2128, <DATA>
      line 422.
      </faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
      SOAP-ENV:Client, Denied access to method (Test) in class
      (UWDS::WSTest) at /usr/lib/perl5/site_perl/5.6.1/SOAP/Lite.pm line
      2128, <DATA> line 422.

      This occurs when the script is run under both mod_perl's
      Apache::PerlRun and Apache::Registry, but it works just fine
      when run as a plain old cgi. I even compiled Apache with
      --disable-rule=EXPAT as some have suggested, but that doesn't
      help.

      Any Ideas? Anyone?
    • Jeremy Scott
      Hi, thanks for the response... I actually ended up doing what you suggested but with a little bit of a twist. Dispatching to @INC is dangerous, but what I
      Message 2 of 2 , Aug 6 1:06 PM
        Hi, thanks for the response...

        I actually ended up doing what you
        suggested but with a little bit of a twist.

        Dispatching to @INC is dangerous, but what
        I didn't show was how I mitigate that with
        security checks.

        (I had thought that my extra code caused the
        bug, but it didn't so I left it out for clarity.)

        I had another server that uses the "on_action"
        handler to read $ENV{REMOTE_ADDR},
        $ENV{REMOTE_USER} or a certificate subject,
        and the called soapaction method.

        With these three pieces of information, a
        custom routine (in the on_action handler)
        does an authorization check against an LDAP
        server with custom application schema.
        (Is this user from ip allowed to run the method?)

        If they're not authorized, it dies with a soap fault.
        If they are, it goes ahead and dispatches.

        So what I did was turn my cgi into an Apache
        module by using Apache::SOAP as a template.
        I added the 'on_action' option to Apache::SOAP
        along with some other custom code and called it
        Apache::UWDS. Also, this runs over SSL and each
        client has an SSL certificate with a subject that
        represents their user name.

        Here's the config. Note the evil <Perl> tags.

        <Location "/cert">
        SSLVerifyClient require
        SSLOptions +StdEnvVars
        SetHandler perl-script
        PerlHandler Apache::UWDS
        <Perl>
        push @{ $Location{"/cert"}->{PerlSetVar}}, [
        dispatch_to => join(",",@INC) ];
        </Perl>
        </Location>


        So, now I have a secure and easy to administer
        webservice platform. All I do is install the perl
        modules I want people to access on the webservers,
        give them client certificates, and add an application
        entry to our LDAP server with the module::methods
        they're allowed to call and it's done. No messing with
        the webserver for new modules/new users! :)

        I ran this code last night, and it ran 300,000 soap
        calls without leaking memory/blowing up, crashing the
        LDAP server etc... I use ResourcePool for making the
        LDAP connections.



        > Luckily there is a very simple solution ... mod_soap
        > which is documented in the SOAP::Lite
        > pods (perldoc SOAP::Lite ... or
        > http://www.soaplite.com). This will register yoru
        > SOAP server
        > as a pure mod_perl handler and take care of the
        > dispatching for you. All you need to do is
        > configure the httpd.conf file to point in the right
        > direction.
        >
        > Also this means you won't have to/be able to do the
        > very scary and dangerous
        > ->dispatch_to(@INC) ...
        >
        > -Chris
        >


        __________________________________
        Do you Yahoo!?
        Yahoo! SiteBuilder - Free, easy-to-use web site design software
        http://sitebuilder.yahoo.com
      Your message has been successfully submitted and would be delivered to recipients shortly.