Hi, Something cross my mind..when I was using this tool: >Usage: java org.apache.soap.server.ServiceManagerClient [-auth username:password] url operation arguments >where > username and password is the HTTP Basic authentication info > url is the Apache SOAP router's URL whose services are managed > operation and arguments are: > deploy deployment-descriptor-file.xml > list > query service-name > undeploy service-name
and URL is be http://somehost.somedomain.com:8080/soap/servlet/rpcrouter for managing the soap services. This is also the URL we use by the soap client to connect to for soap deployed services. In a production environment over the internet, this can be very dangerous. Hackers can use the same tool to exploit the soap services we publish using this URL. Is there anyway I can turn off the Manager part of the rpcrouter [org.apache.soap.providers.RPCJavaProvider ] and still allow my client to connect to this URL? Is there another rpcrouter that does not have any management binary in it? Did I miss anything? Maybe is documented. If no such feature is avail, Can someone please show me how to work around? thanks 1000, Boon Pang
