On Mon, Jul 27, 2009 at 11:30 PM, Dale Newfield <d...@newfield.org> wrote:
> Matt Raible wrote: > >> You should be able to remove the xfire-servlet mapping from your web.xml. >> Of course, to thoroughly remove it, you should remove XFire JARs from your >> project (and build files) and see what doesn't compile (then remove those >> classes). >> >> Dale Newfield wrote: >> OWASP's "Security Analysis of Core J2EE Design Patterns" says I >> should turn off the serving of WSDL files: >> >> http://www.owasp.org/index.php/Category:OWASP_Security_Analysis_of_Core_J2EE_Design_Patterns_Project/EISTier#tab=Web_Service_Broker >> > > Wouldn't that also turn off the web services themselves? I want the > service to still work, but just ignore the requests for wsdl files. Is that > a contradiction? > Yes. You might try playing with your Acegi configuration to block requests when WSDL is in the URL. Matt
