You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by "Tim K. (Gmane)" <tk...@ugcs.net> on 2005/01/26 01:46:34 UTC
Securing an Axis deployment
Hello,
How can I turn off these features for an Axis production deployment:
1) Disable the generation of WSDL when one goes to
http://server:port/app/ws/ServiceName?wsdl
2) Turn off listing the available services and their methods by going to
http://server:port/app/ws/
3) Turn off all Admin services/servlets, etc.
I would like to provide clients static WSDL files they can download from
another (static) location and only allow my custom web services to be
invoked, not the Axis built-in ones. This way I only have to worry about
the security and exploits of my stuff rather than sweat over what could
be exploited via the default Axis features (which for development are
great, but not for production).
Thank you for your help.
--
Tim
Re: Securing an Axis deployment
Posted by "Tim K. (Gmane)" <tk...@ugcs.net>.
OK, so it's not possible via Axis' configuration. That's what I wanted
to know so I can look at alternatives.
I guess one alternative is to patch the code, maybe even add an option
so I can flip it between dev and production envs.
Tim
Mike Barton wrote:
> Tim,
>
> Yes, we have done something very similar to that by using custom Axis
> handlers and web app filters.
>
> Mike
>
>
> Tim K. (Gmane) wrote:
>
>>
>> Anyone out there who uses Axis on a production system and has disabled
>> these features?
>>
>> Thanks.
>>
>> Tim
>>
>> Tim K. (Gmane) wrote:
>>
>>> Hello,
>>>
>>> How can I turn off these features for an Axis production deployment:
>>>
>>> 1) Disable the generation of WSDL when one goes to
>>> http://server:port/app/ws/ServiceName?wsdl
>>>
>>> 2) Turn off listing the available services and their methods by going
>>> to http://server:port/app/ws/
>>>
>>> 3) Turn off all Admin services/servlets, etc.
>>>
>>> I would like to provide clients static WSDL files they can download
>>> from another (static) location and only allow my custom web services
>>> to be invoked, not the Axis built-in ones. This way I only have to
>>> worry about the security and exploits of my stuff rather than sweat
>>> over what could be exploited via the default Axis features (which for
>>> development are great, but not for production).
>>>
>>> Thank you for your help.
>>>
>>
>>
>>
>
Re: Securing an Axis deployment
Posted by Mike Barton <mb...@allesta.com>.
Tim,
Yes, we have done something very similar to that by using custom Axis
handlers and web app filters.
Mike
Tim K. (Gmane) wrote:
>
> Anyone out there who uses Axis on a production system and has disabled
> these features?
>
> Thanks.
>
> Tim
>
> Tim K. (Gmane) wrote:
>
>> Hello,
>>
>> How can I turn off these features for an Axis production deployment:
>>
>> 1) Disable the generation of WSDL when one goes to
>> http://server:port/app/ws/ServiceName?wsdl
>>
>> 2) Turn off listing the available services and their methods by going
>> to http://server:port/app/ws/
>>
>> 3) Turn off all Admin services/servlets, etc.
>>
>> I would like to provide clients static WSDL files they can download
>> from another (static) location and only allow my custom web services
>> to be invoked, not the Axis built-in ones. This way I only have to
>> worry about the security and exploits of my stuff rather than sweat
>> over what could be exploited via the default Axis features (which for
>> development are great, but not for production).
>>
>> Thank you for your help.
>>
>
>
>
Re: Securing an Axis deployment
Posted by "Tim K. (Gmane)" <tk...@ugcs.net>.
Anyone out there who uses Axis on a production system and has disabled
these features?
Thanks.
Tim
Tim K. (Gmane) wrote:
> Hello,
>
> How can I turn off these features for an Axis production deployment:
>
> 1) Disable the generation of WSDL when one goes to
> http://server:port/app/ws/ServiceName?wsdl
>
> 2) Turn off listing the available services and their methods by going to
> http://server:port/app/ws/
>
> 3) Turn off all Admin services/servlets, etc.
>
> I would like to provide clients static WSDL files they can download from
> another (static) location and only allow my custom web services to be
> invoked, not the Axis built-in ones. This way I only have to worry about
> the security and exploits of my stuff rather than sweat over what could
> be exploited via the default Axis features (which for development are
> great, but not for production).
>
> Thank you for your help.
>
Re: Securing an Axis deployment
Posted by Eugene Shershnev <sh...@gmail.com>.
This is not going to do what Tim wants. ?wsdl will still be available with
the difference that the WSDL you specify in WSDD file will be provided for
that request. He wants to disable that feature all together.
Also, AFAIK, when you use <wsdlFile> you need a WSDL file somewhere on the
classpath, not necessarily in AXIS_HOME/WEB-INF/classes.
--
Eugene
----- Original Message -----
From: "Yves Erb" <la...@hotmail.com>
To: <ax...@ws.apache.org>
Sent: Wednesday, January 26, 2005 11:41a
Subject: Re: Securing an Axis deployment
> Hello,
> I think I can help you for the first point. In the service element of your
> deploy.wsdd file, add <wsdlFile>yourWsdlFile</wsdlFile>. I read somewhere
> that you should put this wsdl in the AXIS_HOME/WEB-INF/classes directory
(or
> some descendant) but maybe it's not a requirement.
>
> Yves
>
> ----- Original Message -----
> From: "Tim K. (Gmane)" <tk...@ugcs.net>
> To: <ax...@ws.apache.org>
> Sent: Wednesday, January 26, 2005 1:46 AM
> Subject: Securing an Axis deployment
>
>
> > Hello,
> >
> > How can I turn off these features for an Axis production deployment:
> >
> > 1) Disable the generation of WSDL when one goes to
> > http://server:port/app/ws/ServiceName?wsdl
> >
> > 2) Turn off listing the available services and their methods by going to
> > http://server:port/app/ws/
> >
> > 3) Turn off all Admin services/servlets, etc.
> >
> > I would like to provide clients static WSDL files they can download from
> > another (static) location and only allow my custom web services to be
> > invoked, not the Axis built-in ones. This way I only have to worry about
> > the security and exploits of my stuff rather than sweat over what could
be
> > exploited via the default Axis features (which for development are
great,
> > but not for production).
> >
> > Thank you for your help.
> >
> > --
> > Tim
Re: Securing an Axis deployment
Posted by Yves Erb <la...@hotmail.com>.
Hello,
I think I can help you for the first point. In the service element of your
deploy.wsdd file, add <wsdlFile>yourWsdlFile</wsdlFile>. I read somewhere
that you should put this wsdl in the AXIS_HOME/WEB-INF/classes directory (or
some descendant) but maybe it's not a requirement.
Yves
----- Original Message -----
From: "Tim K. (Gmane)" <tk...@ugcs.net>
To: <ax...@ws.apache.org>
Sent: Wednesday, January 26, 2005 1:46 AM
Subject: Securing an Axis deployment
> Hello,
>
> How can I turn off these features for an Axis production deployment:
>
> 1) Disable the generation of WSDL when one goes to
> http://server:port/app/ws/ServiceName?wsdl
>
> 2) Turn off listing the available services and their methods by going to
> http://server:port/app/ws/
>
> 3) Turn off all Admin services/servlets, etc.
>
> I would like to provide clients static WSDL files they can download from
> another (static) location and only allow my custom web services to be
> invoked, not the Axis built-in ones. This way I only have to worry about
> the security and exploits of my stuff rather than sweat over what could be
> exploited via the default Axis features (which for development are great,
> but not for production).
>
> Thank you for your help.
>
> --
> Tim