security with Apache SOAP

[Nick Kornweibel <ko...@surfeu.de>]

Hi SOAPites,

I have just downloaded and installed Apache SOAP on JRun and IIS and wanted
to get a better understanding of what I had installed on our development sys
before starting....

JSP Admin Pages:

I was surprised to find that the admin JSP pages had no security/login,
etc - and after installing are immediately available to the entire world....

ServiceManager SOAP interface:

I also read in the docs that the ServiceManager SOAP interface "should be
disabled" after development - this is also a security problem.

Have I done something wrong or do I misunderstand something?

Surely something needs to be done with the Admin JSP pages before the system
goes into the production environment?

Are there any docs about how to "lock down" Apache SOAP...or is each person
left to their own devices to work this out?

Hope to hear from you!

Regards,

Nick

Re: security with Apache SOAP

[Scott Nichol <sn...@scottnichol.com>]

You are right: there should be better docs for locking down an installation.
Any volunteers ;-)

If youi check the Server Configuration section of the User's Guide, you'll
find information about the server configuration file, which allows you to
specify a service and configuration manager and enable/disable.

As always, suggestions for new or improved features are welcome, especially
in the form of code submissions!

Scott Nichol

----- Original Message -----
From: "Nick Kornweibel" <ko...@surfeu.de>
To: <so...@xml.apache.org>
Sent: Tuesday, August 27, 2002 9:26 AM
Subject: security with Apache SOAP



Hi SOAPites,

I have just downloaded and installed Apache SOAP on JRun and IIS and wanted
to get a better understanding of what I had installed on our development sys
before starting....

JSP Admin Pages:

I was surprised to find that the admin JSP pages had no security/login,
etc - and after installing are immediately available to the entire world....

ServiceManager SOAP interface:

I also read in the docs that the ServiceManager SOAP interface "should be
disabled" after development - this is also a security problem.

Have I done something wrong or do I misunderstand something?

Surely something needs to be done with the Admin JSP pages before the system
goes into the production environment?

Are there any docs about how to "lock down" Apache SOAP...or is each person
left to their own devices to work this out?

Hope to hear from you!

Regards,

Nick


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>

Re: security with Apache SOAP

[Scott Nichol <sn...@scottnichol.com>]

You are right: there should be better docs for locking down an installation.
Any volunteers ;-)

If youi check the Server Configuration section of the User's Guide, you'll
find information about the server configuration file, which allows you to
specify a service and configuration manager and enable/disable.

As always, suggestions for new or improved features are welcome, especially
in the form of code submissions!

Scott Nichol

----- Original Message -----
From: "Nick Kornweibel" <ko...@surfeu.de>
To: <so...@xml.apache.org>
Sent: Tuesday, August 27, 2002 9:26 AM
Subject: security with Apache SOAP



Hi SOAPites,

I have just downloaded and installed Apache SOAP on JRun and IIS and wanted
to get a better understanding of what I had installed on our development sys
before starting....

JSP Admin Pages:

I was surprised to find that the admin JSP pages had no security/login,
etc - and after installing are immediately available to the entire world....

ServiceManager SOAP interface:

I also read in the docs that the ServiceManager SOAP interface "should be
disabled" after development - this is also a security problem.

Have I done something wrong or do I misunderstand something?

Surely something needs to be done with the Admin JSP pages before the system
goes into the production environment?

Are there any docs about how to "lock down" Apache SOAP...or is each person
left to their own devices to work this out?

Hope to hear from you!

Regards,

Nick


--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>




--
To unsubscribe, e-mail:   <ma...@xml.apache.org>
For additional commands, e-mail: <ma...@xml.apache.org>