> I agree with Andreas in this point. > Previous works in this area also showed vulnerabilities of that kind in > a big number of actually deployed services. > The problem here is, that when writing a usual java programm you usually > dont care about protection on this level, since the access is not > public. When exposing this POJO as a Web-Service it seems as if a lot > people/companies dont review their code to eliminate such problems. > > That is THE advantage of using a mediator like Synapse. There is no need > to change a single line of application code of your services to protect > them.
Interestingly, even Axis2 itself is not immune. See [1] for an issue that has been discovered yesterday. Is your project/thesis more focused on detecting security issues and fixing them or on protecting existing Web services with potentially known security issues? Andreas [1] https://issues.apache.org/jira/browse/AXIS2-4279
