[prev in list] [next in list] [prev in thread] [next in thread]
List: axis-user-ja
Subject: Re: [Axis2]: Authenticate WSDL
From: robertlazarski <robertlazarski () gmail ! com>
Date: 2018-09-28 14:00:37
Message-ID: CABpPLBVkom_si-Wj5Mj7wrJQQ5SsLomiUtChTsWJMpf3aFti5A () mail ! gmail ! com
[Download RAW message or body]
On Thu, Sep 27, 2018 at 11:46 PM SUBBU S <subbu.sistha@gmail.com> wrote:
> Hi Team,
>
>
>
> Through Admistractive console we are able to access available service,
> after authentication we able to access available services
>
>
>
> Same way, we need authentication for the WSDL file, which are not
> authenticated. Any body can accessible WSDL files if they got the URL
>
>
>
> It's a security risk, It was possible to retrieve Web Services
> Description Language (WSDL) from web service endpoints as an anonymous
> user. While this functionality could be of use to a legitimate developer,
> it would also help an attacker to determine the methods exposed by a
> service and how to create a well-formed request.
>
>
>
>
>
> Is there any way to authenticate wsdl urls?
>
>
>
> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
> Windows 10
>
>
>
The admin console is not mandatory, for example I remove it completely for
all projects at my day job. Anyways its functionality is password
protected.
You can set exposeServiceMetadata=false in your axis2.xml , that should
disable the WSDL being exposed. See below for the default config and the
comments.
<!--
The exposeServiceMetadata parameter decides whether the metadata
(WSDL, schema, policy) of
the services deployed on Axis2 should be visible when ?wsdl, ?wsdl2,
?xsd, ?policy requests
are received.
This parameter can be defined in the axi2.xml file, in which case
this will be applicable
globally, or in the services.xml files, in which case, it will be
applicable to the
Service groups and/or services, depending on the level at which the
parameter is declared.
This value of this parameter defaults to true.
-->
<parameter name="exposeServiceMetadata">true</parameter>
Regards,
Robert
[Attachment #3 (text/html)]
<div dir="ltr"><div dir="ltr"><div dir="ltr"><br><br><div class="gmail_quote"><div \
dir="ltr">On Thu, Sep 27, 2018 at 11:46 PM SUBBU S <<a \
href="mailto:subbu.sistha@gmail.com" target="_blank">subbu.sistha@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang="EN-US"><div \
class="gmail-m_-6397517229772320683gmail-m_6637276520906893115WordSection1"><p \
class="MsoNormal">Hi Team,</p><p class="MsoNormal"><u></u> <u></u></p><p \
class="MsoNormal">Through Admistractive console we are able to access available \
service, after authentication we able to access available services</p><p \
class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Same way, we need \
authentication for the WSDL file, which are not authenticated. Any body can \
accessible WSDL files if they got the URL</p><p class="MsoNormal"><u></u> \
<u></u></p><p class="MsoNormal">It's a security risk, <span \
style="font-size:10.5pt;font-family:"Segoe \
UI",sans-serif;color:rgb(23,43,77);background:rgb(244,245,247) none repeat \
scroll 0% 0%">It was possible to retrieve Web Services Description Language (WSDL) \
from web service endpoints as an anonymous user. While this functionality could be of \
use to a legitimate developer, it would also help an attacker to determine the \
methods exposed by a service and how to create a well-formed \
request.<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><p \
class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Is there any way to \
authenticate wsdl urls?</p><p class="MsoNormal"><u></u> <u></u></p><p \
class="MsoNormal">Sent from <a href="https://go.microsoft.com/fwlink/?LinkId=550986" \
target="_blank">Mail</a> for Windows 10</p><p class="MsoNormal"><u></u> \
</p></div></div></blockquote><div><br></div><div>The admin console is not mandatory, \
for example I remove it completely for all projects at my day job. Anyways its \
functionality is password protected. </div><div><br></div><div>You can set \
exposeServiceMetadata=false in your axis2.xml , that should disable the WSDL being \
exposed. See below for the default config and the comments. \
<br></div><div><br></div><div><!--<br> The exposeServiceMetadata \
parameter decides whether the metadata (WSDL, schema, policy) of<br> the \
services deployed on Axis2 should be visible when ?wsdl, ?wsdl2, ?xsd, ?policy \
requests<br> are received.<br> This parameter can be defined \
in the axi2.xml file, in which case this will be applicable<br> globally, \
or in the services.xml files, in which case, it will be applicable to the<br> \
Service groups and/or services, depending on the level at which the parameter is \
declared.<br> This value of this parameter defaults to true.<br> \
--><br> <parameter \
name="exposeServiceMetadata">true</parameter></div><div><br></div><div>Regards,</div><div>Robert<br></div></div></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic