Hi Steve: I'm not sure the <wsdlFile> thing is any worse than any number of other things you can do with admin access. For instance, you could deploy the System class as a service, and then invoke System.exit()....
That said, I'm fine with the *.wsdl idea too. --Glen > -----Original Message----- > From: Steve Loughran [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, November 19, 2002 6:34 PM > To: axis-dev > Subject: <wsdlFile> > > > > -just modified <wsdlFile> element support so that you can > name a resource as > well as a file path to a WSDL file, and so bundle stuf fin > your webapp. You > still need custom WSDL for each webapp of course, with the > right local URL; > that is a detail I am ignoring. > > One thing that concerns me is the security of the whole > attriubute: anyone > can submit the name of any XML file on the server and have it > served back. > Which means anyone with access to the admin service has read > access to the > server's disk, and can get things like tomcat's server.xml, > or anything else > of value. > > I am minded to restrict access *only* to files ending in ".wsdl". > >
