Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What about viewservlets? #2

Closed
JacquesLeRoux opened this issue Dec 22, 2024 · 5 comments
Closed

What about viewservlets? #2

JacquesLeRoux opened this issue Dec 22, 2024 · 5 comments

Comments

@JacquesLeRoux
Copy link

Hi,

Thanks for your effort on maven-birt-artifacts, much appreciated. I have a question, no need to explain all here, it's already done at eclipse-birt/birt#863

I searched at https://github.com/search?q=repo%3Aeureka-bpo%2Fmaven-birt-artifacts%20%2FViewHandler&type=code to no avail. Do I miss something?

Thanks in advance
@eureka-bpo
Copy link
Owner

Hello @JacquesLeRoux
viewservlets.jar was not published as separate artifact since 4.5.0, but is included as a part of another artifact -- org.eclipse.birt.report.viewer (mvnrepository, p2repository): it located in folder /birt/WEB-INF/lib/ inside jar artifact.
In your project you have possibility download org.eclipse.birt.report.viewer artifact, extract viewservlets.jar and add viewservlets.jar to classpath of your project. It sounds a little bit tricky, but is quite feasible.

@JacquesLeRoux
Copy link
Author

Hi,

OK then, I'll try that :) Thanks!

@JacquesLeRoux
Copy link
Author

Hi @eureka-bpo,

Adding these dependencies in OFBiz dependencies.gradle

    implementation 'org.eclipse.birt:org.eclipse.birt.report.viewer:4.9.0'
    implementation 'org.eclipse.birt:org.eclipse.birt.core:4.9.0'
    implementation 'org.eclipse.birt:org.eclipse.birt.report.engine:4.9.0'
    implementation 'org.eclipse.birt:org.eclipse.birt.report.model:4.9.0'

    implementation files('lib/viewservlets.jar')

I was almost able to compile but got an issue about AxisServlet:

> Task :compileJava
C:\projectsASF\Git\ofbiz-framework\plugins\birt\src\main\java\org\apache\ofbiz\birt\report\servlet\BirtViewerServlet.java:39: error: cannot access AxisServlet
public class BirtViewerServlet extends ViewerServlet {
       ^
  class file for org.apache.axis.transport.http.AxisServlet not found
1 error

With its Birt plugin, in BirtViewerServlet class, OFBiz extends ViewerServlet . Itself being dependent of BirtSoapMessageDispatcherServlet.java which extends AxisServlet.

Adding the implementation 'org.apache.axis:axis:1.4' dependency works.
Unfortunately we know axis:1.4 is far from safe:
https://mvnrepository.com/artifact/org.apache.axis/axis/1.4
https://security.snyk.io/package/maven/axis%3Aaxis/1.4
...

Following eclipse-birt/birt#625 (comment)
I tried to find a safe version of Axis 1.4, or something using Axis2, to no avail.
I notably looked into birt-runtime-4.9.0.zip and birt-runtime-4.13.0-20230302.zip

Do you know if there is a safe version of viewservlets.jar somewhere (ie not using Axis 1.4 or at least using a safe version of it) ?

Thanks in advance for your possible help.

@eureka-bpo
Copy link
Owner

if there is a safe version of viewservlets.jar somewhere (ie not using Axis 1.4 or at least using a safe version of it) ?

No, the artifact from latest (Birt 4.18.0) version also uses axis 1.4. Security problem is not the only problem, related to usage of obsolete Axis version in Birt. May be it will be changed to better in future, who knows.

@JacquesLeRoux
Copy link
Author

Thanks,

Hopefully yes, it's clearly a serious issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JacquesLeRoux @eureka-bpo