Hi Victor, Thks for replying so promptly....
>your certificate wouldn't be able to connect to your rpcrouter. Is this what >you're trying to do? Nope. Even with SSL I dun feel safe. A client that is authenticated can still be using a stolen client cert. Hacker can still undeploy/replace the publish service. I need a rpcrouter that won't respond to any of the following commands from the java org.apache.soap.server.ServiceManagerClient: deploy, list, query and undeploy. And still be used by client to execute the SOAP Call object remotely. Cheers, Boon Pang At 01:30 PM 10/2/2001 +1000, you wrote: >Hi, > >Sorry I might have misread your earlier email. If you are concern about the >security you can run soap via SSL, therefore other sites that doesn't have >your certificate wouldn't be able to connect to your rpcrouter. Is this what >you're trying to do? > >/victor > >On Tue, 2 Oct 2001 13:15, you wrote: > > Hi, > > Thanks for replying... > > > > > <configManager value="com.yourClass" /> > > > > Do you mean I have to write my own config manager? I am new to SOAP for > > about 2 weeks. > > Is that the only solution? > > > > Can any soap engine developer please compile a rpcrouter container that is > > safe for production? > > In my novice opinion removing response to deploy, list, query and undeploy > > command from any where > > would be safe enough. We can live with rpcrouter loading the services > > component from "DeployedServices.ds". > > Usually the production environment are rather static. > > > > > > cheers, > > Boon Pang > > > > At 09:36 AM 10/2/2001 +1000, you wrote: > > >Read the documentation about configuring your Manager. Basically you have > > > to change the > > > > > > <init-param> > > > <param-name>ConfigFile</param-name> > > > <param-value>WEB-INF/yourconfigfile.xml</param-value> > > > </init-param> > > > > > >to point to your file. > > > > > >And in that file you can specify your config manager, it looks like this: > > > > > > <soapServer> > > > <configManager value="com.yourClass" /> > > > </soapServer> > > > > > > > > >vic . > > > > > >On Fri, 28 Sep 2001 19:14, you wrote: > > > > Hi, > > > > > > > > Something cross my mind..when I was using this tool: > > > > >Usage: java org.apache.soap.server.ServiceManagerClient [-auth > > > > > > > > username:password] url operation arguments > > > > > > > > >where > > > > > username and password is the HTTP Basic authentication info > > > > > url is the Apache SOAP router's URL whose services are > > > > > managed operation and arguments are: > > > > > deploy deployment-descriptor-file.xml > > > > > list > > > > > query service-name > > > > > undeploy service-name > > > > > > > > and URL is be > > > > http://somehost.somedomain.com:8080/soap/servlet/rpcrouter for managing > > > > the soap services. > > > > This is also the URL we use by the soap client to connect to for soap > > > > deployed services. > > > > > > > > In a production environment over the internet, this can be very > > > > dangerous. Hackers can use the same tool > > > > to exploit the soap services we publish using this URL. > > > > > > > > Is there anyway I can turn off the Manager part of the rpcrouter > > > > [org.apache.soap.providers.RPCJavaProvider ] > > > > and still allow my client to connect to this URL? Is there another > > > > rpcrouter that does not have any management binary > > > > in it? > > > > > > > > Did I miss anything? Maybe is documented. If no such feature is avail, > > > > Can someone please > > > > show me how to work around? > > > > > > > > thanks 1000, > > > > Boon Pang > > > > > >-- > > >Victor Hadianto > > >Nuix Pty. Ltd. (02) 9283 9010 > >-- >Victor Hadianto >Nuix Pty. Ltd. (02) 9283 9010
