[Axis2]: Authenticate WSDL

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Axis2]: Authenticate WSDL

SUBBU S

Hi Team,

 

Through Admistractive console we are able to access available service, after authentication we able to access available services

 

Same way, we need authentication for the WSDL file, which are not authenticated. Any body can accessible WSDL files if they got the URL

 

It’s a security risk, It was possible to retrieve Web Services Description Language (WSDL) from web service endpoints as an anonymous user. While this functionality could be of use to a legitimate developer, it would also help an attacker to determine the methods exposed by a service and how to create a well-formed request.

 

 

Is there any way to authenticate wsdl urls?

 

Sent from Mail for Windows 10

 

Reply | Threaded
Open this post in threaded view
|

Re: [Axis2]: Authenticate WSDL

robertlazarski .


On Thu, Sep 27, 2018 at 11:46 PM SUBBU S <[hidden email]> wrote:

Hi Team,

 

Through Admistractive console we are able to access available service, after authentication we able to access available services

 

Same way, we need authentication for the WSDL file, which are not authenticated. Any body can accessible WSDL files if they got the URL

 

It’s a security risk, It was possible to retrieve Web Services Description Language (WSDL) from web service endpoints as an anonymous user. While this functionality could be of use to a legitimate developer, it would also help an attacker to determine the methods exposed by a service and how to create a well-formed request.

 

 

Is there any way to authenticate wsdl urls?

 

Sent from Mail for Windows 10

 


The admin console is not mandatory, for example I remove it completely for all projects at my day job. Anyways its functionality is password protected.  

You can set exposeServiceMetadata=false in your axis2.xml , that should disable the WSDL being exposed. See below for the default config and the comments.

<!--
       The exposeServiceMetadata parameter decides whether the metadata (WSDL, schema, policy) of
       the services deployed on Axis2 should be visible when ?wsdl, ?wsdl2, ?xsd, ?policy requests
       are received.
       This parameter can be defined in the axi2.xml file, in which case this will be applicable
       globally, or in the services.xml files, in which case, it will be applicable to the
       Service groups and/or services, depending on the level at which the parameter is declared.
       This value of this parameter defaults to true.
    -->
    <parameter name="exposeServiceMetadata">true</parameter>

Regards,
Robert