0

I need to either hide the WSDL url or only make it available for authenticated users . I.e I don't want to expose http://localhost:8080/services/Application?wsdl.

Tomcat version 8.5.11, java 8, Axis 1.4 (I know the Axis version is too old but that is what I have to work with for now )

I thought I could add a security constraint to web.xml as explained on here http://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html as follow:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>WSDL</web-resource-name>
        <description>WSDL Files</description>
        <url-pattern>*?wsdl</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

Also found this thread which suggest to do the same thing but not working for me Hiding WSDL in JAX-WS

Tomcat throws the following error:

org.apache.catalina.LifecycleException: Failed to start component [StandardEngine[Catalina].StandardHost[localhost].StandardContext[]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
    at org.apache.catalina.core.StandardContext.reload(StandardContext.java:3782)
    at org.apache.catalina.startup.HostConfig.reload(HostConfig.java:1377)
    at org.apache.catalina.startup.HostConfig.checkResources(HostConfig.java:1350)
    at org.apache.catalina.startup.HostConfig.check(HostConfig.java:1586)
    at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:280)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
    at org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1164)
    at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1388)
    at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1392)
    at org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1360)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: Invalid <url-pattern> *?wsdl in security constraint
    at org.apache.catalina.core.StandardContext.addConstraint(StandardContext.java:2827)
    at org.apache.catalina.startup.ContextConfig.configureContext(ContextConfig.java:1317)
    at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1190)
    at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:775)
    at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:299)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:94)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5087)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    ... 11 more

Any idea what I am doing wrong? or how I can achieve the above?

Many thanks in advance

Community
  • 1
  • 1
justMe
  • 2,200
  • 16
  • 20
  • This is a wrong patter `*?wsdl`, instead use this `*.wsdl` and your exception will go. – hagrawal7777 May 05 '17 at 16:47
  • See [here](http://stackoverflow.com/questions/14018215/what-is-url-pattern-in-web-xml-and-how-to-configure-servlet) for valid URL patterns. – Andrew S May 05 '17 at 16:48
  • I agree *.wsdl will get rid of the exception but it won't solve the problem. I have ?wsdl at the end of the URL not .wsdl. – justMe May 06 '17 at 18:06

2 Answers2

0

As far as I know Axis 1.4 does not conform to JAVA WS specifications. I believe Axis 1.4 predated JAVA WS specifications.

I believe a servlet can be written to filter the WSDL files. https://coderanch.com/t/224470/java/Disable-wsdl-url-Axis#1054987

sashwat
  • 607
  • 4
  • 10
0

Thanks for everyone who tries to help, after long time reading AXIS documentations there seems to be two ways we could disable the wsdl to be exposed:

1- By default, Axis provides for three Axis servlet query string handlers (?list, ?method, and ?wsdl), if you turn the default behaviour off then this will not publish the wsdl, you could do that by setting the useDefaultQueryStrings flag to false as follow on the http transport in server-config.wsdd file:

  <transport name="http">
        <requestFlow>
            <handler type="URLMapper"/>
            <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
        </requestFlow>
        <parameter name="useDefaultQueryStrings" value="false" />
    </transport>

2- In the documentation there is a section called (Pre-Configured Axis Components Reference) here there is a URLMapper with the following descriptions:

"The URLMapper, an HTTP-specific handler, usually goes on HTTP transport chains (it is deployed by default). It serves to do service dispatch based on URL - for instance, this is the Handler which allows URLs like http://localhost:8080/axis/services/MyService?wsdl to work."

If you comment out the URLMapper again the wsdl will not be published. You need to comment out the handler

<!--    <handler name="URLMapper" type="java:org.apache.axis.handlers.http.URLMapper"/>-->

and the reference in requestFlow:

<transport name="http">
    <requestFlow>
        <!--<handler type="URLMapper"/>-->
        <handler type="java:org.apache.axis.handlers.http.HTTPAuthHandler"/>
    </requestFlow>
</transport>

That should be it.

AXIS documentation here http://axis.apache.org/axis/java/reference.html

Personally I have gone with the first solution, I would appreciate if anyone thinks that we shouldn't be doing either please feel free to comment.

justMe
  • 2,200
  • 16
  • 20