You are viewing a plain text version of this content. The canonical link for it is here.

Posted to soap-dev@xml.apache.org by Chris Staszak <st...@storerunner.com> on 2000/11/21 03:20:21 UTC

Security for RPCRouterServlet

This is my first day on the soap-dev list, so please forgive me if I am
bringing up a subject that has been discussed here previously, or which
someone already has a fix in place.

I am preparing to deploy a publicly accessible SOAP server. However, the
ability for arbitrary remote clients to 'deploy', 'undeploy', etc., without
authentication, is not very appealing to myself or my security-conscious
system administrators.

I have attached a modified copy of RPCRouterServlet which provides the
ability to turn off these remote capabilities. In essence, the
RPCRouterServlet is given an init parameter named "SecureDeployment", which
points to a directory containing deployment descriptors. If this parameter
is detected, remote deployment calls are disabled. Instead, any deployment
descriptors in the configured SecureDeployment directory are deployed
internally when the servlet is initialized.

Hopefully this additional functionality is of use to the SOAP users, and
something like it may be included in future releases. Please feel free to
send me any comments, corrections, or ideas. I am willing to continue
refining these mechanisms if there is a need for it.

Chris

---------------------------------
Chris Staszak
StoreRunner Network Incorporated
staszak@storerunner.com
(858)546-2669