Re: [ebxmlms-general] spoofing to parties

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

> Is it possible to easily acertain the MSH that sent an ebxml message aside from the <From><PartyId> element in the message itself to confirm that the 'from' party hasn't been spoofed?  i.e., does the Request object ever get and store the URL of the MSH that sent the message using Socket.getInetAddress() or similar?  This might be a useful feature otherwise.

         I also agree with Ronald that to prevent spoofing, transport level 
authentication (e.g. client authentication) can be used so that the IP 
address of the sender is not restricted. We are currently reengineering 
Hermes to do this kind of authentication.

> The call to onMessage() in hk.hky.cecid.phoenix.message.handler.Request.run() (~line 288) is wrapped in a blanket "catch" statement that doesn't seem to report the errors it catches to any log. This makes it arbitrarily hard to know if something has gone wrong in any code that implements the MessageListener interface because if an exception occurs that you don't explicitly catch in your implementation of the interface, you'll never know it.

         Thanks. Actually, the exception caught is recorded to 
"exceptionMessage" variable and there is a method getExceptionMessage() 
(~line 340) to retrieve it. I just forget to invoke this method of this 
polling thread somewhere in Request in order to log the error. Modification 
will be made.

Regards,
CY

----------------------------------------------------------------------------
Ng Chi Yuen, CY.       cy...@ce...       http://www.cecid.hku.hk/
Technology Officer,
Centre for E-Commerce Infrastructure Development,
The University of Hong Kong
----------------------------------------------------------------------------