You are viewing a plain text version of this content. The canonical link for it is here.

Posted to java-dev@axis.apache.org by SUBBU S <su...@gmail.com> on 2018/09/28 05:46:00 UTC

[Axis2]: Authenticate WSDL

Hi Team,

Through Admistractive console we are able to access available service, after authentication we able to access available services

Same way, we need authentication for the WSDL file, which are not authenticated. Any body can accessible WSDL files if they got the URL

It’s a security risk, It was possible to retrieve Web Services Description Language (WSDL) from web service endpoints as an anonymous user. While this functionality could be of use to a legitimate developer, it would also help an attacker to determine the methods exposed by a service and how to create a well-formed request.


Is there any way to authenticate wsdl urls?

Sent from Mail for Windows 10

Re: [Axis2]: Authenticate WSDL

Posted by robertlazarski <ro...@gmail.com>.

On Thu, Sep 27, 2018 at 11:46 PM SUBBU S <su...@gmail.com> wrote:

> Hi Team,
>
>
>
> Through Admistractive console we are able to access available service,
> after authentication we able to access available services
>
>
>
> Same way, we need authentication for the WSDL file, which are not
> authenticated. Any body can accessible WSDL files if they got the URL
>
>
>
> It’s a security risk, It was possible to retrieve Web Services
> Description Language (WSDL) from web service endpoints as an anonymous
> user. While this functionality could be of use to a legitimate developer,
> it would also help an attacker to determine the methods exposed by a
> service and how to create a well-formed request.
>
>
>
>
>
> Is there any way to authenticate wsdl urls?
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>

The admin console is not mandatory, for example I remove it completely for
all projects at my day job. Anyways its functionality is password
protected.

You can set exposeServiceMetadata=false in your axis2.xml , that should
disable the WSDL being exposed. See below for the default config and the
comments.

<!--
       The exposeServiceMetadata parameter decides whether the metadata
(WSDL, schema, policy) of
       the services deployed on Axis2 should be visible when ?wsdl, ?wsdl2,
?xsd, ?policy requests
       are received.
       This parameter can be defined in the axi2.xml file, in which case
this will be applicable
       globally, or in the services.xml files, in which case, it will be
applicable to the
       Service groups and/or services, depending on the level at which the
parameter is declared.
       This value of this parameter defaults to true.
    -->
    <parameter name="exposeServiceMetadata">true</parameter>

Regards,
Robert