From b04b684a78fe57a1f1b08e51333179473aec53c2 Mon Sep 17 00:00:00 2001
From: apeiris <mapeiris@hotmail.com>
Date: Mon, 25 Aug 2025 10:08:07 -0400
Subject: [PATCH 1/5] Add secure property and XML retrieval endpoints to
 ApiResource

- Introduced /getPropertyList endpoint returning application properties as JSON.
- Introduced /getXml endpoint returning XML content filtered via XPath.
- Added HTTPS enforcement for non-localhost requests to prevent exposure of sensitive information.
- Implemented isLocalhost(Request) helper for local testing exceptions.
- Added XML parsing with XXE protection.
- Updated imports and cleaned up unused imports.
---
 .../cmd/processor/restapi/ApiResource.java    | 159 +++++++++++++++---
 1 file changed, 136 insertions(+), 23 deletions(-)

diff --git a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
index a5bf91a2..1d8b16d9 100644
--- a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
+++ b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
@@ -5,48 +5,69 @@
  */
 package org.openas2.cmd.processor.restapi;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
-import org.openas2.cert.AliasedCertificateFactory;
-import org.openas2.cert.CertificateFactory;
-import org.openas2.cmd.CommandResult;
-import org.openas2.cmd.processor.RestCommandProcessor;
 
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.ws.rs.Consumes;
-
 import jakarta.ws.rs.DefaultValue;
-
-
+import jakarta.ws.rs.DELETE;
 import jakarta.ws.rs.GET;
+import jakarta.ws.rs.HEAD;
 import jakarta.ws.rs.Path;
-import jakarta.ws.rs.Produces;
-import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.POST;
+import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.PUT;
-import jakarta.ws.rs.DELETE;
-import jakarta.ws.rs.HEAD;
-
-
-import jakarta.ws.rs.PathParam;
-
+import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.Context;
-
-import jakarta.ws.rs.core.MultivaluedMap;
-import jakarta.ws.rs.core.Request;
-import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriInfo;
+import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.MultivaluedMap;
+
 import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.StringWriter;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
+import java.util.Map;
+
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathExpression;
+import javax.xml.xpath.XPathFactory;
+
+import org.glassfish.grizzly.http.server.Request;
+
+import org.openas2.cert.AliasedCertificateFactory;
+import org.openas2.cert.CertificateFactory;
+import org.openas2.cmd.CommandResult;
+import org.openas2.cmd.processor.RestCommandProcessor;
+import org.openas2.Session;
+import org.openas2.util.Properties;
+
 import org.slf4j.LoggerFactory;
 
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+
+
 /**
  * @author javier
  */
@@ -70,12 +91,11 @@ public static void setProcessor(RestCommandProcessor aProcessor) {
     private static RestCommandProcessor processor;
     @Context
     UriInfo ui;
-    @Context
     Request request;
     private final ObjectMapper mapper;
-    
+
     public ApiResource() {
-                
+
         mapper = new ObjectMapper();
         // enable pretty printing
         mapper.enable(SerializationFeature.INDENT_OUTPUT);
@@ -220,6 +240,99 @@ public Response headCommand(@PathParam("param") String command) {
         return Response.status(200).build();
     }
 
+    @GET
+    @RolesAllowed({"ADMIN"})
+    @Path("/getPropertyList")
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response getPropertyList(@Context Request request) {
+        if (!request.isSecure() && !isLocalhost(request)) {
+            return Response.status(Response.Status.FORBIDDEN)
+                    .entity("{\"error\":\"SSL/TLS required\"}")
+                    .type(MediaType.APPLICATION_JSON)
+                    .build();
+        }
+        Map<String, String> result = new HashMap<>();
+        try {
+            result = (Map<String, String>) Properties.getProperties();
+        }catch(Exception ex) {
+            LoggerFactory.getLogger(ApiResource.class.getName()).error(ex.getMessage(), ex);
+            throw ex;
+        }
+        ObjectMapper om = new ObjectMapper();
+        try {
+            String js = om.writeValueAsString(result);
+            return Response.ok(js, MediaType.APPLICATION_JSON).build();
+        } catch (JsonProcessingException e) {
+            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("error").type(MediaType.APPLICATION_JSON).build();
+        }
+    }
+
+    @GET
+    @RolesAllowed({"ADMIN"})
+    @Path("/getXml")
+    @Produces({MediaType.APPLICATION_XML,MediaType.APPLICATION_JSON})
+    public Response getXml(@Context Request request, @QueryParam("filename") String filename, @QueryParam("xpath") String xpathExpression){
+
+        if (!request.isSecure() && !isLocalhost(request)) {
+            return Response.status(Response.Status.FORBIDDEN)
+                    .entity("{\"error\":\"SSL/TLS required\"}")
+                    .type(MediaType.APPLICATION_JSON)
+                    .build();
+        }
+
+        Session session = getProcessor().getSession();
+        String filePath = session.getBaseDirectory() + "/" + filename;
+        try {
+            NodeList nodeList = getNodes(filePath, xpathExpression);
+            DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            Document resultDocument = db.newDocument();
+            for (int i = 0; i < nodeList.getLength(); i++) {
+                Node importedNode = resultDocument.importNode(nodeList.item(i), true);
+                resultDocument.appendChild(importedNode);
+            }
+            StringWriter stringWriter = new StringWriter();    // Convert the XML document to a string
+            TransformerFactory transformerFactory = TransformerFactory.newInstance();
+            Transformer transformer = transformerFactory.newTransformer();
+            transformer.transform(new DOMSource(resultDocument), new StreamResult(stringWriter));
+            String xmlContent = stringWriter.toString();
+            return Response.ok(xmlContent, MediaType.APPLICATION_XML).build();
+        } catch (Exception exception) {
+            return Response.serverError().entity("error").type(MediaType.APPLICATION_JSON).build();
+        }
+    }
+
+    private static boolean isLocalhost(Request request) {
+        boolean isLocalhost = request.getRemoteAddr().equals("127.0.0.1") || request.getRemoteAddr().equals("::1");
+        return isLocalhost;
+    }
+
+    private NodeList getNodes(String xmlFileName, String xpathExpression) {
+        NodeList nodeList = null;
+        try {
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+            // === XXE Protection ===
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            dbf.setXIncludeAware(false);
+            dbf.setExpandEntityReferences(false);
+
+            DocumentBuilder db = dbf.newDocumentBuilder();
+            File file = new File(xmlFileName);
+            Document document = db.parse(file);
+
+            XPathExpression xPathExpr = XPathFactory.newInstance().newXPath().compile(xpathExpression);
+            nodeList = (NodeList) xPathExpr.evaluate(document, XPathConstants.NODESET);
+
+        } catch (Exception ex) {
+            LoggerFactory.getLogger(ApiResource.class.getName()).error("Error parsing XML file: " + xmlFileName, ex);
+            // return null on error
+        }
+        return nodeList;
+    }
+
     private CommandResult importCertificateByStream(String itemId, MultivaluedMap<String, String> formParams) throws Exception {
         try {
             List<String> params = new ArrayList<String>();
@@ -245,7 +358,7 @@ private CommandResult importCertificateByStream(String itemId, MultivaluedMap<St
         } catch (Exception ex) {
             LoggerFactory.getLogger(ApiResource.class.getName()).error(ex.getMessage(), ex);
             throw ex;
-            // return Response.status(506).entity( ex.getMessage()).build();
+
         }
     }
 

From 29635b18dad2b2af90e86880bceb3704646c19e1 Mon Sep 17 00:00:00 2001
From: apeiris <mapeiris@hotmail.com>
Date: Mon, 25 Aug 2025 10:39:06 -0400
Subject: [PATCH 2/5] Update XPath validation to allow * and common paths
 safely

---
 .../log-20250825.txt                          | 389 ++++++++++++++++++
 .../cmd/processor/restapi/ApiResource.java    |  30 +-
 2 files changed, 415 insertions(+), 4 deletions(-)
 create mode 100644 Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt

diff --git a/Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt b/Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt
new file mode 100644
index 00000000..bc54cf08
--- /dev/null
+++ b/Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt
@@ -0,0 +1,389 @@
+09:49:50.438 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
+09:49:50.810 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
+09:49:50.871 [main] INFO  org.openas2.XMLSession -- Loading configuration...
+09:49:50.871 [main] INFO  org.openas2.XMLSession -- Loading properties...
+09:49:52.139 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
+09:49:52.176 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
+09:49:52.190 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
+09:49:52.242 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
+09:49:52.242 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
+09:49:53.255 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
+09:49:53.335 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+09:49:53.339 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+09:49:53.345 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
+09:49:53.443 [main] INFO  org.openas2.XMLSession -- Loading messages...
+09:49:53.445 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
+09:49:53.452 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
+09:49:53.453 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
+09:49:53.481 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
+09:49:53.761 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
+09:49:53.779 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
+09:49:53.783 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
+09:49:53.794 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
+09:49:53.796 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
+09:49:53.797 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
+09:49:53.799 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
+09:52:25.023 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+09:52:25.020 [SchedulerComponent-Thread-1] ERROR org.openas2.cmd.processor.BaseCommandProcessor -- Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
+java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
+	at org.openas2.cmd.processor.StreamCommandProcessor.readLine(StreamCommandProcessor.java:107)
+	at org.openas2.cmd.processor.StreamCommandProcessor.processCommand(StreamCommandProcessor.java:49)
+	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:96)
+	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:91)
+	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
+	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
+	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
+	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
+	at java.base/java.lang.Thread.run(Thread.java:842)
+09:52:25.023 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
+09:52:25.023 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+09:52:25.025 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+09:52:25.026 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
+09:52:25.027 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
+09:52:25.028 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+09:52:25.028 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
+09:52:25.029 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
+09:52:25.029 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
+
+09:53:06.483 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
+09:53:06.815 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
+09:53:06.873 [main] INFO  org.openas2.XMLSession -- Loading configuration...org.openas2.lib.xml.PropertyReplacementFilter@51dcb805
+09:53:06.875 [main] INFO  org.openas2.XMLSession -- Loading properties...
+09:53:08.136 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
+09:53:08.164 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
+09:53:08.180 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
+09:53:08.233 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
+09:53:08.233 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
+09:53:09.201 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
+09:53:09.272 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+09:53:09.275 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+09:53:09.281 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
+09:53:09.361 [main] INFO  org.openas2.XMLSession -- Loading messages...
+09:53:09.363 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
+09:53:09.371 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
+09:53:09.372 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
+09:53:09.398 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
+09:53:09.630 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
+09:53:09.640 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
+09:53:09.644 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
+09:53:09.648 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
+09:53:09.650 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
+09:53:09.650 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
+09:53:09.651 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
+09:55:27.922 [SchedulerComponent-Thread-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor destroyed...
+09:55:27.943 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+09:55:27.945 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+09:55:27.945 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
+09:55:27.971 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+09:55:27.970 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
+09:55:28.017 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
+09:55:28.018 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+09:55:28.019 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
+09:55:28.020 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
+09:55:28.049 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+09:55:28.050 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 1 active module(s) stopped.
+09:55:28.050 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
+
+09:56:13.560 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
+09:56:13.898 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
+09:56:13.946 [main] INFO  org.openas2.XMLSession -- Loading configuration...D:\REPOS\apeiris\OpenAs2AppMyConfig
+09:56:13.947 [main] INFO  org.openas2.XMLSession -- Loading properties...
+09:56:15.170 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
+09:56:15.199 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
+09:56:15.214 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
+09:56:15.264 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
+09:56:15.264 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
+09:56:16.212 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
+09:56:16.285 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+09:56:16.288 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+09:56:16.293 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
+09:56:16.368 [main] INFO  org.openas2.XMLSession -- Loading messages...
+09:56:16.369 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
+09:56:16.375 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
+09:56:16.376 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
+09:56:16.404 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
+09:56:16.632 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
+09:56:16.645 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
+09:56:16.646 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
+09:56:16.648 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
+09:56:16.651 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
+09:56:16.654 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
+09:56:16.657 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
+09:57:07.743 [grizzly-http-server-0] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+09:57:07.955 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: POST /api/v2/WriteToConsole/==================================================================
+09:57:08.025 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
+09:57:08.415 [pool-4-thread-1] INFO  org.openas2.processor.receiver.AS2ReceiverHandler -- received 4790 bytes in 0.9 seconds at 519.766 KBps 0:0:0:0:0:0:0:1 52269 [<AS2_095708Mon.>]
+09:57:08.625 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored message to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\inbox\AS2_095708Mon. [<AS2_095708Mon.>]
+09:57:08.628 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored headers to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\msgheaders\2025-08-25\AS2_095708Mon. [<AS2_095708Mon.>]
+09:57:08.920 [pool-4-thread-1] INFO  org.openas2.processor.sender.MDNSenderModule -- sent MDN [automatic-action/mdn-sent-automatically; processed] [<AS2_095708Mon.>]
+10:03:16.708 [SchedulerComponent-Thread-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor destroyed...
+10:03:16.710 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+10:03:16.711 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
+10:03:16.711 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:03:16.714 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
+10:03:16.714 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:03:16.720 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
+10:03:16.721 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:03:16.721 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
+10:03:16.725 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
+10:03:16.746 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+10:03:16.748 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 1 active module(s) stopped.
+10:03:16.749 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
+
+10:28:45.937 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
+10:28:46.318 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
+10:28:46.382 [main] INFO  org.openas2.XMLSession -- Loading configuration...
+10:28:46.382 [main] INFO  org.openas2.XMLSession -- Loading properties...
+10:28:47.833 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
+10:28:47.861 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
+10:28:47.884 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
+10:28:47.976 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
+10:28:47.982 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
+10:28:49.051 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
+10:28:49.121 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+10:28:49.123 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+10:28:49.127 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
+10:28:49.218 [main] INFO  org.openas2.XMLSession -- Loading messages...
+10:28:49.219 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
+10:28:49.227 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
+10:28:49.228 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
+10:28:49.271 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
+10:28:49.523 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
+10:28:49.534 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
+10:28:49.535 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
+10:28:49.536 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
+10:28:49.537 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
+10:28:49.539 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
+10:28:49.542 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
+10:29:01.082 [grizzly-http-server-0] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+10:29:01.362 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getPropertyList
+10:29:01.441 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
+10:29:01.477 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Incoming connection [ 127.0.0.1 52896]
+10:29:01.483 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Healthcheck ping detected [ 127.0.0.1 52896] [null]
+10:29:06.752 [grizzly-http-server-1] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+10:29:06.753 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getXml
+10:29:06.755 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 400{Content-Type=[application/json]}
+10:30:33.883 [grizzly-http-server-2] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+10:30:33.886 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getPropertyList
+10:30:33.889 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
+10:30:33.893 [pool-5-thread-2] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Incoming connection [ 127.0.0.1 52922]
+10:30:33.896 [pool-5-thread-2] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Healthcheck ping detected [ 127.0.0.1 52922] [null]
+10:33:17.448 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+10:33:17.446 [SchedulerComponent-Thread-1] ERROR org.openas2.cmd.processor.BaseCommandProcessor -- Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
+java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
+	at org.openas2.cmd.processor.StreamCommandProcessor.readLine(StreamCommandProcessor.java:107)
+	at org.openas2.cmd.processor.StreamCommandProcessor.processCommand(StreamCommandProcessor.java:49)
+	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:96)
+	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:91)
+	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
+	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
+	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
+	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
+	at java.base/java.lang.Thread.run(Thread.java:842)
+10:33:17.450 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:33:17.450 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
+10:33:17.455 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
+10:33:17.455 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:33:17.455 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
+10:33:17.456 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:33:17.456 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
+10:33:17.499 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
+10:33:17.500 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
+
+10:33:58.184 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
+10:33:58.537 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
+10:33:58.580 [main] INFO  org.openas2.XMLSession -- Loading configuration...
+10:33:58.581 [main] INFO  org.openas2.XMLSession -- Loading properties...
+10:33:59.988 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
+10:34:00.026 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
+10:34:00.046 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
+10:34:00.106 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
+10:34:00.106 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
+10:34:01.241 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
+10:34:01.337 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+10:34:01.342 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
+10:34:01.351 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
+10:34:01.480 [main] INFO  org.openas2.XMLSession -- Loading messages...
+10:34:01.481 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
+10:34:01.488 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
+10:34:01.489 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
+10:34:01.515 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
+10:34:01.760 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
+10:34:01.772 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
+10:34:01.775 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
+10:34:01.776 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
+10:34:01.777 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
+10:34:01.778 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
+10:34:01.780 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
+10:34:17.982 [grizzly-http-server-0] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+10:34:18.220 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getPropertyList
+10:34:18.290 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Incoming connection [ 127.0.0.1 53008]
+10:34:18.292 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Healthcheck ping detected [ 127.0.0.1 53008] [null]
+10:34:18.295 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
+10:34:20.503 [grizzly-http-server-1] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+10:34:20.504 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getXml
+10:34:20.521 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/xml]}
+10:34:36.744 [grizzly-http-server-2] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
+10:34:36.752 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: POST /api/v2/WriteToConsole/==================================================================
+10:34:36.812 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
+10:34:37.460 [pool-4-thread-1] INFO  org.openas2.processor.receiver.AS2ReceiverHandler -- received 4790 bytes in 0.1 seconds at 4.581 MBps 0:0:0:0:0:0:0:1 53018 [<AS2_103437Mon.>]
+10:34:37.670 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored message to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\inbox\AS2_103437Mon. [<AS2_103437Mon.>]
+10:34:37.681 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored headers to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\msgheaders\2025-08-25\AS2_103437Mon. [<AS2_103437Mon.>]
+10:34:38.050 [pool-4-thread-1] INFO  org.openas2.processor.sender.MDNSenderModule -- sent MDN [automatic-action/mdn-sent-automatically; processed] [<AS2_103437Mon.>]
+10:36:19.533 [SchedulerComponent-Thread-1] ERROR org.openas2.cmd.processor.BaseCommandProcessor -- Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
+java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
+	at org.openas2.cmd.processor.StreamCommandProcessor.readLine(StreamCommandProcessor.java:107)
+	at org.openas2.cmd.processor.StreamCommandProcessor.processCommand(StreamCommandProcessor.java:49)
+	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:96)
+	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:91)
+	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
+	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
+	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
+	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
+	at java.base/java.lang.Thread.run(Thread.java:842)
+10:36:19.538 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
+10:36:19.566 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
+10:36:19.567 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:36:19.568 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
+10:36:19.568 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:36:19.573 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
+10:36:19.580 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
+java.net.SocketException: Socket closed
+	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
+	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
+	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
+	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
+	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
+	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
+10:36:19.580 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
+10:36:19.582 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
+10:36:19.590 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
+
diff --git a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
index 1d8b16d9..be687e8e 100644
--- a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
+++ b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
@@ -270,8 +270,10 @@ public Response getPropertyList(@Context Request request) {
     @GET
     @RolesAllowed({"ADMIN"})
     @Path("/getXml")
-    @Produces({MediaType.APPLICATION_XML,MediaType.APPLICATION_JSON})
-    public Response getXml(@Context Request request, @QueryParam("filename") String filename, @QueryParam("xpath") String xpathExpression){
+    @Produces({MediaType.APPLICATION_XML, MediaType.APPLICATION_JSON})
+    public Response getXml(@Context Request request,
+                           @QueryParam("filename") String filename,
+                           @QueryParam("xpath") String xpathExpression) {
 
         if (!request.isSecure() && !isLocalhost(request)) {
             return Response.status(Response.Status.FORBIDDEN)
@@ -280,27 +282,47 @@ public Response getXml(@Context Request request, @QueryParam("filename") String
                     .build();
         }
 
+        // Validate XPath input: only allow letters, numbers, underscores, and slashes
+        if (xpathExpression == null || !xpathExpression.matches("[a-zA-Z0-9_/@\\[\\]/\\*\\-]+")) {
+            return Response.status(Response.Status.BAD_REQUEST)
+                    .entity("{\"error\":\"Invalid XPath expression\"}")
+                    .type(MediaType.APPLICATION_JSON)
+                    .build();
+        }
+
+
         Session session = getProcessor().getSession();
         String filePath = session.getBaseDirectory() + "/" + filename;
+
         try {
             NodeList nodeList = getNodes(filePath, xpathExpression);
             DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
             Document resultDocument = db.newDocument();
+
             for (int i = 0; i < nodeList.getLength(); i++) {
                 Node importedNode = resultDocument.importNode(nodeList.item(i), true);
                 resultDocument.appendChild(importedNode);
             }
-            StringWriter stringWriter = new StringWriter();    // Convert the XML document to a string
+
+            StringWriter stringWriter = new StringWriter();
             TransformerFactory transformerFactory = TransformerFactory.newInstance();
             Transformer transformer = transformerFactory.newTransformer();
             transformer.transform(new DOMSource(resultDocument), new StreamResult(stringWriter));
+
             String xmlContent = stringWriter.toString();
             return Response.ok(xmlContent, MediaType.APPLICATION_XML).build();
+
         } catch (Exception exception) {
-            return Response.serverError().entity("error").type(MediaType.APPLICATION_JSON).build();
+            LoggerFactory.getLogger(ApiResource.class.getName()).error(
+                    "Error processing XML file: " + filePath, exception);
+            return Response.serverError()
+                    .entity("{\"error\":\"Internal server error\"}")
+                    .type(MediaType.APPLICATION_JSON)
+                    .build();
         }
     }
 
+
     private static boolean isLocalhost(Request request) {
         boolean isLocalhost = request.getRemoteAddr().equals("127.0.0.1") || request.getRemoteAddr().equals("::1");
         return isLocalhost;

From b6f5404886a8c73bce4b1df27aedfeab81787c1e Mon Sep 17 00:00:00 2001
From: apeiris <mapeiris@hotmail.com>
Date: Mon, 25 Aug 2025 10:53:11 -0400
Subject: [PATCH 3/5] Update .gitignore and refine XPath validation in
 ApiResource

- Ignore log files under Server/OPENAS2_LOG_DIR_IS_UNDEFINED
- Remove redundant comment for XPath validation in ApiResource
---
 .gitignore                                    |   1 +
 .../log-20250825.txt                          | 389 ------------------
 .../cmd/processor/restapi/ApiResource.java    |   2 -
 3 files changed, 1 insertion(+), 391 deletions(-)
 delete mode 100644 Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt

diff --git a/.gitignore b/.gitignore
index 3b4f66b7..c00051a2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,4 @@ pom.xml.versionsBackup
 **/.settings
 **/*.class
 .metadata/*
+"Server/OPENAS2_LOG_DIR_IS_UNDEFINED/*.txt" 
diff --git a/Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt b/Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt
deleted file mode 100644
index bc54cf08..00000000
--- a/Server/OPENAS2_LOG_DIR_IS_UNDEFINED/log-20250825.txt
+++ /dev/null
@@ -1,389 +0,0 @@
-09:49:50.438 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
-09:49:50.810 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
-09:49:50.871 [main] INFO  org.openas2.XMLSession -- Loading configuration...
-09:49:50.871 [main] INFO  org.openas2.XMLSession -- Loading properties...
-09:49:52.139 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
-09:49:52.176 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
-09:49:52.190 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
-09:49:52.242 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
-09:49:52.242 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
-09:49:53.255 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
-09:49:53.335 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-09:49:53.339 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-09:49:53.345 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
-09:49:53.443 [main] INFO  org.openas2.XMLSession -- Loading messages...
-09:49:53.445 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
-09:49:53.452 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
-09:49:53.453 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
-09:49:53.481 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
-09:49:53.761 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
-09:49:53.779 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
-09:49:53.783 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
-09:49:53.794 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
-09:49:53.796 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
-09:49:53.797 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
-09:49:53.799 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
-09:52:25.023 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-09:52:25.020 [SchedulerComponent-Thread-1] ERROR org.openas2.cmd.processor.BaseCommandProcessor -- Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
-java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
-	at org.openas2.cmd.processor.StreamCommandProcessor.readLine(StreamCommandProcessor.java:107)
-	at org.openas2.cmd.processor.StreamCommandProcessor.processCommand(StreamCommandProcessor.java:49)
-	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:96)
-	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:91)
-	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
-	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
-	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
-	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
-	at java.base/java.lang.Thread.run(Thread.java:842)
-09:52:25.023 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
-09:52:25.023 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-09:52:25.025 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-09:52:25.026 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
-09:52:25.027 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
-09:52:25.028 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-09:52:25.028 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
-09:52:25.029 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
-09:52:25.029 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
-
-09:53:06.483 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
-09:53:06.815 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
-09:53:06.873 [main] INFO  org.openas2.XMLSession -- Loading configuration...org.openas2.lib.xml.PropertyReplacementFilter@51dcb805
-09:53:06.875 [main] INFO  org.openas2.XMLSession -- Loading properties...
-09:53:08.136 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
-09:53:08.164 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
-09:53:08.180 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
-09:53:08.233 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
-09:53:08.233 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
-09:53:09.201 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
-09:53:09.272 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-09:53:09.275 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-09:53:09.281 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
-09:53:09.361 [main] INFO  org.openas2.XMLSession -- Loading messages...
-09:53:09.363 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
-09:53:09.371 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
-09:53:09.372 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
-09:53:09.398 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
-09:53:09.630 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
-09:53:09.640 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
-09:53:09.644 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
-09:53:09.648 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
-09:53:09.650 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
-09:53:09.650 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
-09:53:09.651 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
-09:55:27.922 [SchedulerComponent-Thread-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor destroyed...
-09:55:27.943 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-09:55:27.945 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-09:55:27.945 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
-09:55:27.971 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-09:55:27.970 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
-09:55:28.017 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
-09:55:28.018 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-09:55:28.019 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
-09:55:28.020 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
-09:55:28.049 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-09:55:28.050 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 1 active module(s) stopped.
-09:55:28.050 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
-
-09:56:13.560 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
-09:56:13.898 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
-09:56:13.946 [main] INFO  org.openas2.XMLSession -- Loading configuration...D:\REPOS\apeiris\OpenAs2AppMyConfig
-09:56:13.947 [main] INFO  org.openas2.XMLSession -- Loading properties...
-09:56:15.170 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
-09:56:15.199 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
-09:56:15.214 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
-09:56:15.264 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
-09:56:15.264 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
-09:56:16.212 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
-09:56:16.285 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-09:56:16.288 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-09:56:16.293 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
-09:56:16.368 [main] INFO  org.openas2.XMLSession -- Loading messages...
-09:56:16.369 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
-09:56:16.375 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
-09:56:16.376 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
-09:56:16.404 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
-09:56:16.632 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
-09:56:16.645 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
-09:56:16.646 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
-09:56:16.648 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
-09:56:16.651 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
-09:56:16.654 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
-09:56:16.657 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
-09:57:07.743 [grizzly-http-server-0] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-09:57:07.955 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: POST /api/v2/WriteToConsole/==================================================================
-09:57:08.025 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
-09:57:08.415 [pool-4-thread-1] INFO  org.openas2.processor.receiver.AS2ReceiverHandler -- received 4790 bytes in 0.9 seconds at 519.766 KBps 0:0:0:0:0:0:0:1 52269 [<AS2_095708Mon.>]
-09:57:08.625 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored message to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\inbox\AS2_095708Mon. [<AS2_095708Mon.>]
-09:57:08.628 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored headers to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\msgheaders\2025-08-25\AS2_095708Mon. [<AS2_095708Mon.>]
-09:57:08.920 [pool-4-thread-1] INFO  org.openas2.processor.sender.MDNSenderModule -- sent MDN [automatic-action/mdn-sent-automatically; processed] [<AS2_095708Mon.>]
-10:03:16.708 [SchedulerComponent-Thread-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor destroyed...
-10:03:16.710 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-10:03:16.711 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
-10:03:16.711 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:03:16.714 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
-10:03:16.714 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:03:16.720 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
-10:03:16.721 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:03:16.721 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
-10:03:16.725 [SchedulerComponent-Thread-1] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
-10:03:16.746 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-10:03:16.748 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 1 active module(s) stopped.
-10:03:16.749 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
-
-10:28:45.937 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
-10:28:46.318 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
-10:28:46.382 [main] INFO  org.openas2.XMLSession -- Loading configuration...
-10:28:46.382 [main] INFO  org.openas2.XMLSession -- Loading properties...
-10:28:47.833 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
-10:28:47.861 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
-10:28:47.884 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
-10:28:47.976 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
-10:28:47.982 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
-10:28:49.051 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
-10:28:49.121 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-10:28:49.123 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-10:28:49.127 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
-10:28:49.218 [main] INFO  org.openas2.XMLSession -- Loading messages...
-10:28:49.219 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
-10:28:49.227 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
-10:28:49.228 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
-10:28:49.271 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
-10:28:49.523 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
-10:28:49.534 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
-10:28:49.535 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
-10:28:49.536 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
-10:28:49.537 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
-10:28:49.539 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
-10:28:49.542 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
-10:29:01.082 [grizzly-http-server-0] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-10:29:01.362 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getPropertyList
-10:29:01.441 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
-10:29:01.477 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Incoming connection [ 127.0.0.1 52896]
-10:29:01.483 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Healthcheck ping detected [ 127.0.0.1 52896] [null]
-10:29:06.752 [grizzly-http-server-1] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-10:29:06.753 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getXml
-10:29:06.755 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 400{Content-Type=[application/json]}
-10:30:33.883 [grizzly-http-server-2] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-10:30:33.886 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getPropertyList
-10:30:33.889 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
-10:30:33.893 [pool-5-thread-2] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Incoming connection [ 127.0.0.1 52922]
-10:30:33.896 [pool-5-thread-2] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Healthcheck ping detected [ 127.0.0.1 52922] [null]
-10:33:17.448 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-10:33:17.446 [SchedulerComponent-Thread-1] ERROR org.openas2.cmd.processor.BaseCommandProcessor -- Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
-java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
-	at org.openas2.cmd.processor.StreamCommandProcessor.readLine(StreamCommandProcessor.java:107)
-	at org.openas2.cmd.processor.StreamCommandProcessor.processCommand(StreamCommandProcessor.java:49)
-	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:96)
-	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:91)
-	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
-	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
-	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
-	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
-	at java.base/java.lang.Thread.run(Thread.java:842)
-10:33:17.450 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:33:17.450 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
-10:33:17.455 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
-10:33:17.455 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:33:17.455 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
-10:33:17.456 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:33:17.456 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
-10:33:17.499 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
-10:33:17.500 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
-
-10:33:58.184 [main] INFO  org.openas2.app.OpenAS2Server -- Retrieving config file...
-10:33:58.537 [main] INFO  org.openas2.app.OpenAS2Server -- Using MANIFEST file:/D:/REPOS/apeiris/OpenAs2App/Server/target/dist/lib/openas2-server-4.6.0.jar!/META-INF/MANIFEST.MF
-10:33:58.580 [main] INFO  org.openas2.XMLSession -- Loading configuration...
-10:33:58.581 [main] INFO  org.openas2.XMLSession -- Loading properties...
-10:33:59.988 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {identifier=ssl_trust_certs, password=testas2, filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/ssl_trust_certs.p12, classname=org.openas2.cert.PKCS12CertificateFactory, interval=300, enabled=false}
-10:34:00.026 [main] INFO  org.openas2.XMLSession -- Loading command processor(s)...
-10:34:00.046 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- RestCommandProcessor initialized...
-10:34:00.106 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Creating and starting a new instance of grizzly http server
-10:34:00.106 [main] INFO  org.openas2.cmd.processor.RestCommandProcessor -- Exposing the Jersey application at http://localhost:8080
-10:34:01.241 [main] INFO  org.openas2.XMLSession -- Loading processor nodes...
-10:34:01.337 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2ReceiverModule" enabled="$properties.module.AS2ReceiverModule.https.enabled$" errordir="$properties.storageBaseDir$/inbox/error" errorformat="sender.as2_id, receiver.as2_id, headers.message-id" port="$properties.module.AS2ReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-10:34:01.342 [main] INFO  org.openas2.XMLSession -- Module is disabled ... ignoring: <module classname="org.openas2.processor.receiver.AS2MDNReceiverModule" enabled="$properties.module.AS2MDNReceiverModule.https.enabled$" port="$properties.module.AS2MDNReceiverModule.https.port$" protocol="https" ssl_keystore="$properties.ssl_keystore$" ssl_keystore_password="$properties.ssl_keystore_password$" ssl_protocol="TLS"/>
-10:34:01.351 [main] INFO  org.openas2.XMLSession -- Loading partnerships...
-10:34:01.480 [main] INFO  org.openas2.XMLSession -- Loading messages...
-10:34:01.481 [main] INFO  org.openas2.util.XMLUtil -- Component node ignored as it is not enabled: {filename=D:\REPOS\apeiris\OpenAs2AppMyConfig/messages.xml, classname=org.openas2.message.XMLMessageFactory, interval=120, enabled=false}
-10:34:01.488 [main] INFO  org.openas2.app.OpenAS2Server -- Shutdown hook registered.
-10:34:01.489 [main] INFO  org.openas2.app.OpenAS2Server -- Starting OpenAS2 Server v4.6.0...
-10:34:01.515 [main] INFO  EmbeddedDBHandler -- Using JDBC driver: org.h2.Driver
-10:34:01.760 [main] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule started.
-10:34:01.772 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule started.
-10:34:01.775 [main] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule started.
-10:34:01.776 [main] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule started.
-10:34:01.777 [main] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule started.
-10:34:01.778 [main] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) started.
-10:34:01.780 [main] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 Server v4.6.0 started.
-10:34:17.982 [grizzly-http-server-0] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-10:34:18.220 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getPropertyList
-10:34:18.290 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Incoming connection [ 127.0.0.1 53008]
-10:34:18.292 [pool-5-thread-1] INFO  org.openas2.processor.receiver.AS2MDNReceiverHandler -- Healthcheck ping detected [ 127.0.0.1 53008] [null]
-10:34:18.295 [grizzly-http-server-0] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
-10:34:20.503 [grizzly-http-server-1] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-10:34:20.504 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: GET /api/getXml
-10:34:20.521 [grizzly-http-server-1] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/xml]}
-10:34:36.744 [grizzly-http-server-2] INFO  o.openas2.cmd.processor.restapi.AuthenticationRequestFilter -- Username: userID
-10:34:36.752 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Request: POST /api/v2/WriteToConsole/==================================================================
-10:34:36.812 [grizzly-http-server-2] INFO  org.openas2.cmd.processor.RestCommandProcessor -- API Response: 200{Content-Type=[application/json]}
-10:34:37.460 [pool-4-thread-1] INFO  org.openas2.processor.receiver.AS2ReceiverHandler -- received 4790 bytes in 0.1 seconds at 4.581 MBps 0:0:0:0:0:0:0:1 53018 [<AS2_103437Mon.>]
-10:34:37.670 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored message to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\inbox\AS2_103437Mon. [<AS2_103437Mon.>]
-10:34:37.681 [pool-4-thread-1] INFO  org.openas2.processor.storage.MessageFileModule -- stored headers to D:\REPOS\apeiris\OpenAs2AppMyConfig\..\data\MyCompany_OID-PartnerA_OID\msgheaders\2025-08-25\AS2_103437Mon. [<AS2_103437Mon.>]
-10:34:38.050 [pool-4-thread-1] INFO  org.openas2.processor.sender.MDNSenderModule -- sent MDN [automatic-action/mdn-sent-automatically; processed] [<AS2_103437Mon.>]
-10:36:19.533 [SchedulerComponent-Thread-1] ERROR org.openas2.cmd.processor.BaseCommandProcessor -- Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
-java.lang.NullPointerException: Cannot invoke "String.trim()" because the return value of "java.io.BufferedReader.readLine()" is null
-	at org.openas2.cmd.processor.StreamCommandProcessor.readLine(StreamCommandProcessor.java:107)
-	at org.openas2.cmd.processor.StreamCommandProcessor.processCommand(StreamCommandProcessor.java:49)
-	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:96)
-	at org.openas2.cmd.processor.BaseCommandProcessor$1.call(BaseCommandProcessor.java:91)
-	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
-	at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
-	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
-	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
-	at java.base/java.lang.Thread.run(Thread.java:842)
-10:36:19.538 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DbTrackingModule stopped.
-10:36:19.566 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2ReceiverModule stopped.
-10:36:19.567 [HTTPServerThread (0.0.0.0:10080)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:36:19.568 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- AS2MDNReceiverModule stopped.
-10:36:19.568 [HTTPServerThread (0.0.0.0:10081)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:36:19.573 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- DirectoryResenderModule stopped.
-10:36:19.580 [HTTPServerThread (localhost:10099)] ERROR org.openas2.processor.receiver.NetModule -- Failed transferring data over HTTP connection: Socket closed
-java.net.SocketException: Socket closed
-	at java.base/sun.nio.ch.NioSocketImpl.endAccept(NioSocketImpl.java:694)
-	at java.base/sun.nio.ch.NioSocketImpl.accept(NioSocketImpl.java:767)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:675)
-	at java.base/java.net.ServerSocket.platformImplAccept(ServerSocket.java:641)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:617)
-	at java.base/java.net.ServerSocket.implAccept(ServerSocket.java:574)
-	at java.base/java.net.ServerSocket.accept(ServerSocket.java:532)
-	at org.openas2.processor.receiver.NetModule$HTTPServerThread.run(NetModule.java:314)
-10:36:19.580 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- HealthCheckModule stopped.
-10:36:19.582 [Thread-0] INFO  org.openas2.processor.DefaultProcessor -- 5 active module(s) stopped.
-10:36:19.590 [Thread-0] INFO  org.openas2.app.OpenAS2Server -- OpenAS2 has shut down
-
diff --git a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
index be687e8e..7ffee91d 100644
--- a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
+++ b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
@@ -281,8 +281,6 @@ public Response getXml(@Context Request request,
                     .type(MediaType.APPLICATION_JSON)
                     .build();
         }
-
-        // Validate XPath input: only allow letters, numbers, underscores, and slashes
         if (xpathExpression == null || !xpathExpression.matches("[a-zA-Z0-9_/@\\[\\]/\\*\\-]+")) {
             return Response.status(Response.Status.BAD_REQUEST)
                     .entity("{\"error\":\"Invalid XPath expression\"}")

From 3f9faaa94756a6d845176bbab08f51e693dad803 Mon Sep 17 00:00:00 2001
From: apeiris <mapeiris@hotmail.com>
Date: Mon, 25 Aug 2025 11:47:51 -0400
Subject: [PATCH 4/5] Fix getXml endpoint to safely handle XPath input and wrap
 results

- Restrict allowed XPath expressions to a predefined set, including "*".
- Prevent XPath injection and XXE attacks by validating input and disabling DOCTYPE.
- Wrap returned XML nodes in a <results> root element to avoid DOM hierarchy errors.
- Simplify XML transformation and response building.
---
 .../cmd/processor/restapi/ApiResource.java    | 53 ++++++++++++++-----
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
index 7ffee91d..33b2abc1 100644
--- a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
+++ b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
@@ -40,13 +40,19 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+
+
+
+import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpression;
 import javax.xml.xpath.XPathFactory;
@@ -63,6 +69,7 @@
 import org.slf4j.LoggerFactory;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
@@ -281,34 +288,53 @@ public Response getXml(@Context Request request,
                     .type(MediaType.APPLICATION_JSON)
                     .build();
         }
-        if (xpathExpression == null || !xpathExpression.matches("[a-zA-Z0-9_/@\\[\\]/\\*\\-]+")) {
+
+
+        Set<String> allowedXPaths = Set.of(
+                "/partnerships/partner",
+                "/partnerships/partner/name",
+                "/partnerships/*",
+                "*"
+        );
+
+        if (xpathExpression == null || !allowedXPaths.contains(xpathExpression)) {
             return Response.status(Response.Status.BAD_REQUEST)
-                    .entity("{\"error\":\"Invalid XPath expression\"}")
+                    .entity("{\"error\":\"Invalid or disallowed XPath expression\"}")
                     .type(MediaType.APPLICATION_JSON)
                     .build();
         }
 
-
         Session session = getProcessor().getSession();
         String filePath = session.getBaseDirectory() + "/" + filename;
 
         try {
-            NodeList nodeList = getNodes(filePath, xpathExpression);
-            DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-            Document resultDocument = db.newDocument();
+
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // prevent XXE
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            Document document = builder.parse(new File(filePath));
+
+
+            XPath xpath = XPathFactory.newInstance().newXPath();
+            XPathExpression expr = xpath.compile(xpathExpression);
+            NodeList nodeList = (NodeList) expr.evaluate(document, XPathConstants.NODESET);
+
+
+            Document resultDocument = builder.newDocument();
+            Element root = resultDocument.createElement("results");
+            resultDocument.appendChild(root);
 
             for (int i = 0; i < nodeList.getLength(); i++) {
                 Node importedNode = resultDocument.importNode(nodeList.item(i), true);
-                resultDocument.appendChild(importedNode);
+                root.appendChild(importedNode);
             }
 
+            // Convert to string
+            Transformer transformer = TransformerFactory.newInstance().newTransformer();
             StringWriter stringWriter = new StringWriter();
-            TransformerFactory transformerFactory = TransformerFactory.newInstance();
-            Transformer transformer = transformerFactory.newTransformer();
             transformer.transform(new DOMSource(resultDocument), new StreamResult(stringWriter));
 
-            String xmlContent = stringWriter.toString();
-            return Response.ok(xmlContent, MediaType.APPLICATION_XML).build();
+            return Response.ok(stringWriter.toString(), MediaType.APPLICATION_XML).build();
 
         } catch (Exception exception) {
             LoggerFactory.getLogger(ApiResource.class.getName()).error(
@@ -321,6 +347,7 @@ public Response getXml(@Context Request request,
     }
 
 
+
     private static boolean isLocalhost(Request request) {
         boolean isLocalhost = request.getRemoteAddr().equals("127.0.0.1") || request.getRemoteAddr().equals("::1");
         return isLocalhost;

From e3c224ff5fa39825cf7506800306df19477ae080 Mon Sep 17 00:00:00 2001
From: apeiris <mapeiris@hotmail.com>
Date: Mon, 25 Aug 2025 11:47:51 -0400
Subject: [PATCH 5/5] Fix getXml endpoint to safely handle XPath input and wrap
 results

- Restrict allowed XPath expressions to a predefined set, including "*".
- Prevent XPath injection and XXE attacks by validating input and disabling DOCTYPE.
- Wrap returned XML nodes in a <results> root element to avoid DOM hierarchy errors.
- Simplify XML transformation and response building.
---
 .../cmd/processor/restapi/ApiResource.java    | 53 ++++++++++++++-----
 1 file changed, 40 insertions(+), 13 deletions(-)

diff --git a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
index 7ffee91d..33b2abc1 100644
--- a/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
+++ b/Server/src/main/java/org/openas2/cmd/processor/restapi/ApiResource.java
@@ -40,13 +40,19 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
+
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerFactory;
+
+
+
+import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpression;
 import javax.xml.xpath.XPathFactory;
@@ -63,6 +69,7 @@
 import org.slf4j.LoggerFactory;
 
 import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 
@@ -281,34 +288,53 @@ public Response getXml(@Context Request request,
                     .type(MediaType.APPLICATION_JSON)
                     .build();
         }
-        if (xpathExpression == null || !xpathExpression.matches("[a-zA-Z0-9_/@\\[\\]/\\*\\-]+")) {
+
+
+        Set<String> allowedXPaths = Set.of(
+                "/partnerships/partner",
+                "/partnerships/partner/name",
+                "/partnerships/*",
+                "*"
+        );
+
+        if (xpathExpression == null || !allowedXPaths.contains(xpathExpression)) {
             return Response.status(Response.Status.BAD_REQUEST)
-                    .entity("{\"error\":\"Invalid XPath expression\"}")
+                    .entity("{\"error\":\"Invalid or disallowed XPath expression\"}")
                     .type(MediaType.APPLICATION_JSON)
                     .build();
         }
 
-
         Session session = getProcessor().getSession();
         String filePath = session.getBaseDirectory() + "/" + filename;
 
         try {
-            NodeList nodeList = getNodes(filePath, xpathExpression);
-            DocumentBuilder db = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-            Document resultDocument = db.newDocument();
+
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // prevent XXE
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            Document document = builder.parse(new File(filePath));
+
+
+            XPath xpath = XPathFactory.newInstance().newXPath();
+            XPathExpression expr = xpath.compile(xpathExpression);
+            NodeList nodeList = (NodeList) expr.evaluate(document, XPathConstants.NODESET);
+
+
+            Document resultDocument = builder.newDocument();
+            Element root = resultDocument.createElement("results");
+            resultDocument.appendChild(root);
 
             for (int i = 0; i < nodeList.getLength(); i++) {
                 Node importedNode = resultDocument.importNode(nodeList.item(i), true);
-                resultDocument.appendChild(importedNode);
+                root.appendChild(importedNode);
             }
 
+            // Convert to string
+            Transformer transformer = TransformerFactory.newInstance().newTransformer();
             StringWriter stringWriter = new StringWriter();
-            TransformerFactory transformerFactory = TransformerFactory.newInstance();
-            Transformer transformer = transformerFactory.newTransformer();
             transformer.transform(new DOMSource(resultDocument), new StreamResult(stringWriter));
 
-            String xmlContent = stringWriter.toString();
-            return Response.ok(xmlContent, MediaType.APPLICATION_XML).build();
+            return Response.ok(stringWriter.toString(), MediaType.APPLICATION_XML).build();
 
         } catch (Exception exception) {
             LoggerFactory.getLogger(ApiResource.class.getName()).error(
@@ -321,6 +347,7 @@ public Response getXml(@Context Request request,
     }
 
 
+
     private static boolean isLocalhost(Request request) {
         boolean isLocalhost = request.getRemoteAddr().equals("127.0.0.1") || request.getRemoteAddr().equals("::1");
         return isLocalhost;