Discussion:
[Axis2]: Authenticate WSDL
SUBBU S
2018-09-28 05:46:00 UTC
Permalink
Hi Team,

Through Admistractive console we are able to access available service, after authentication we able to access available services

Same way, we need authentication for the WSDL file, which are not authenticated. Any body can accessible WSDL files if they got the URL

It’s a security risk, It was possible to retrieve Web Services Description Language (WSDL) from web service endpoints as an anonymous user. While this functionality could be of use to a legitimate developer, it would also help an attacker to determine the methods exposed by a service and how to create a well-formed request.


Is there any way to authenticate wsdl urls?

Sent from Mail for Windows 10
robertlazarski
2018-09-28 14:00:37 UTC
Permalink
Post by SUBBU S
Hi Team,
Through Admistractive console we are able to access available service,
after authentication we able to access available services
Same way, we need authentication for the WSDL file, which are not
authenticated. Any body can accessible WSDL files if they got the URL
It’s a security risk, It was possible to retrieve Web Services
Description Language (WSDL) from web service endpoints as an anonymous
user. While this functionality could be of use to a legitimate developer,
it would also help an attacker to determine the methods exposed by a
service and how to create a well-formed request.
Is there any way to authenticate wsdl urls?
Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
Windows 10
The admin console is not mandatory, for example I remove it completely for
all projects at my day job. Anyways its functionality is password
protected.

You can set exposeServiceMetadata=false in your axis2.xml , that should
disable the WSDL being exposed. See below for the default config and the
comments.

<!--
The exposeServiceMetadata parameter decides whether the metadata
(WSDL, schema, policy) of
the services deployed on Axis2 should be visible when ?wsdl, ?wsdl2,
?xsd, ?policy requests
are received.
This parameter can be defined in the axi2.xml file, in which case
this will be applicable
globally, or in the services.xml files, in which case, it will be
applicable to the
Service groups and/or services, depending on the level at which the
parameter is declared.
This value of this parameter defaults to true.
-->
<parameter name="exposeServiceMetadata">true</parameter>

Regards,
Robert

Loading...