Hi all, I have a security problem with apache-soap. To solve it, it would be nice, if the Provider-class for the ServiceManager methods(SMM) (deploy, undeploy and list) could be configured by the saopconfig file (soap.xml). The reason follows: If someone is allowed to access one service, he can access all services witch are deployed on the server, espacially the deploy, undeploy and list methods of the ServiceManager. I saw in the latest cvs version (HEAD) that the deployment of the ServiceManager-methods could be switched off, but this is a all or nothing solution. The only way to deploy a service, after switching it off, is to use the JSPs and make it secure with SSL and login via tomcat. And the DeployesServices-file should be moved to the WEB-INF directory. For this the JSPs must be modified, because they don't use the soap.xml-file. But this is no problem. If someone is interested in the patch, I could send it to the list. But there is still the routing problem. I want to fix it with my own Provider-class. This could check via the locate-function if the request for this IP, server-name, port etc. is allowed with/without a login. The login could happen as a SOAP-Header or HTTP-Auth. But the Provider for the SMM is hardcoded, so making tha configurable could solve the security problem for these methods. Than we could use the ServiceManagerClient with an untouched uri on a special Port with SSL and Client-Auth. With one new config-option the rest can be untouched and every developer could control the access to all deployed services, without building it in the deployed service classes with the SOAPContext. I hope I don't miss something and this feature is useful. If there are interests in this, I could write the provider and give it to the apache-soap. Bernd -- Dipl.-Inform. Bernd Koecke UNIX-Entwicklung Schlund+Partner AG Fon: +49-721-91374-0 E-Mail: [EMAIL PROTECTED]
