You are viewing a plain text version of this content. The canonical link for it is here.

Posted to soap-user@xml.apache.org by Ed Yu <ek...@asgnet.psc.sc.edu> on 2001/08/24 22:03:01 UTC

Security concern for SOAP 2.2

Hi all,
For security reasons, we should add the following back to the web.xml within
the soap.jar so that it uses the tomcat admin user to authenticate because
currently the soap admin interface is wide open. Can anyone tell me how to
submit this patch?

<web-app>
  <security-constraint>
    <web-resource-collection>
       <web-resource-name>Protected Area</web-resource-name>
       <url-pattern>/admin/*</url-pattern>
       <http-method>DELETE</http-method>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       <http-method>PUT</http-method>
    </web-resource-collection>
    <auth-constraint>
       <role-name>admin</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Admin</realm-name>
  </login-config>
.
.
.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ed Yu, IBM Certified Specialist - AIX System Administrator
Information Technology Manager,
University of South Carolina,
Advanced Solutions Group, Physics Dept.,
Columbia, SC 29208
Office (803)777-8831, FAX (803)777-8833, Email ekyu@asgnet.psc.sc.edu