Google Git
Sign in
apache / axis-site / 3093048f5b6dcd87d976050a42adfd57786946ac / . / axis / java / security.html
blob: 8d7ab9ca43cd79c54b9416b1844c4364a2a8d875 [file] [log] [blame]
<!DOCTYPE html>
<!--
| Generated by Apache Maven Doxia at 2015-07-03
| Rendered using Apache Maven Fluido Skin 1.3.0
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<meta name="Date-Revision-yyyymmdd" content="20150703" />
<meta http-equiv="Content-Language" content="en" />
<title>Apache Axis &#x2013; Web Service Security</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.3.0.min.css" />
<link rel="stylesheet" href="./css/site.css" />
<link rel="stylesheet" href="./css/print.css" media="print" />
<script type="text/javascript" src="./js/apache-maven-fluido-1.3.0.min.js"></script>
</head>
<body class="topBarDisabled">
<div class="container-fluid">
<div id="banner">
<div class="pull-left">
<div id="bannerLeft">
<h2>Axis</h2>
</div>
</div>
<div class="pull-right"> <a href="./" id="bannerRight">
<img src="images/axis-small.png" alt="Apache Axis"/>
</a>
</div>
<div class="clear"><hr/></div>
</div>
<div id="breadcrumbs">
<ul class="breadcrumb">
<li class="">
<a href="http://www.apache.org/" class="externalLink" title="Apache">
Apache</a>
</li>
<li class="divider ">/</li>
<li class="">
<a href="../../" title="Axis">
Axis</a>
</li>
<li class="divider ">/</li>
<li class="">
<a href="../" title="Axis 1.x">
Axis 1.x</a>
</li>
<li class="divider ">/</li>
<li class="">
<a href="./" title="Java">
Java</a>
</li>
<li class="divider ">/</li>
<li class="">Web Service Security</li>
<li id="publishDate" class="pull-right">Last Published: 2015-07-03</li> <li class="divider pull-right">|</li>
<li id="projectVersion" class="pull-right">Version: 1.4.1-SNAPSHOT</li>
</ul>
</div>
<div class="row-fluid">
<div id="leftColumn" class="span3">
<div class="well sidebar-nav">
<ul class="nav nav-list">
<li class="nav-header">About</li>
<li>
<a href="index.html" title="Introduction">
<i class="none"></i>
Introduction</a>
</li>
<li>
<a href="issue-tracking.html" title="Issue Tracking">
<i class="none"></i>
Issue Tracking</a>
</li>
<li>
<a href="mail-lists.html" title="Mailing Lists">
<i class="none"></i>
Mailing Lists</a>
</li>
<li>
<a href="source-repository.html" title="Source Repository">
<i class="none"></i>
Source Repository</a>
</li>
<li>
<a href="artifacts.html" title="Artifacts & Dependencies">
<i class="none"></i>
Artifacts & Dependencies</a>
</li>
<li>
<a href="apiDocs/index.html" title="Javadocs">
<i class="none"></i>
Javadocs</a>
</li>
<li class="nav-header">Downloads</li>
<li>
<a href="releases.html" title="Releases">
<i class="none"></i>
Releases</a>
</li>
<li>
<a href="changelog.html" title="Changelogs">
<i class="icon-chevron-right"></i>
Changelogs</a>
</li>
<li>
<a href="snapshots.html" title="Snapshots">
<i class="none"></i>
Snapshots</a>
</li>
<li class="nav-header">Documentation</li>
<li>
<a href="overview.html" title="Overview">
<i class="none"></i>
Overview</a>
</li>
<li>
<a href="install.html" title="Installation">
<i class="none"></i>
Installation</a>
</li>
<li>
<a href="user-guide.html" title="User's Guide">
<i class="none"></i>
User's Guide</a>
</li>
<li>
<a href="developers-guide.html" title="Developer's Guide">
<i class="none"></i>
Developer's Guide</a>
</li>
<li>
<a href="integration-guide.html" title="Integration Guide">
<i class="none"></i>
Integration Guide</a>
</li>
<li>
<a href="architecture-guide.html" title="Architecture Guide">
<i class="none"></i>
Architecture Guide</a>
</li>
<li>
<a href="reference.html" title="Reference Guide">
<i class="none"></i>
Reference Guide</a>
</li>
<li>
<a href="reading.html" title="Reading Guide">
<i class="none"></i>
Reading Guide</a>
</li>
<li class="nav-header">More...</li>
<li>
<a href="ant/ant.html" title="Ant Tasks">
<i class="none"></i>
Ant Tasks</a>
</li>
<li>
<a href="maven/index.html" title="Maven Plugins">
<i class="none"></i>
Maven Plugins</a>
</li>
<li>
<a href="castor/index.html" title="Castor Databinding">
<i class="none"></i>
Castor Databinding</a>
</li>
<li>
<a href="xmlbeans/index.html" title="XmlBeans Databinding">
<i class="none"></i>
XmlBeans Databinding</a>
</li>
<li>
<a href="transports/jms/index.html" title="JMS Transport">
<i class="none"></i>
JMS Transport</a>
</li>
<li>
<a href="transports/http-hc3/index.html" title="HttpClient 3 Transport">
<i class="none"></i>
HttpClient 3 Transport</a>
</li>
<li>
<a href="transports/http-javanet/index.html" title="java.net HTTP Transport">
<i class="none"></i>
java.net HTTP Transport</a>
</li>
<li>
<a href="standalone-server/index.html" title="Stand-alone Server">
<i class="none"></i>
Stand-alone Server</a>
</li>
<li class="nav-header">Apache</li>
<li>
<a href="http://www.apache.org/licenses/LICENSE-2.0.html" class="externalLink" title="License">
<i class="none"></i>
License</a>
</li>
<li>
<a href="http://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsorship">
<i class="none"></i>
Sponsorship</a>
</li>
<li>
<a href="http://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks">
<i class="none"></i>
Thanks</a>
</li>
<li>
<a href="http://www.apache.org/security/" class="externalLink" title="Security">
<i class="none"></i>
Security</a>
</li>
</ul>
<form id="search-form" action="http://www.google.com/search" method="get" >
<input value="ws.apache.org/axis/java" name="sitesearch" type="hidden"/>
<input class="search-query" name="q" id="query" type="text" />
</form>
<script type="text/javascript" src="http://www.google.com/coop/cse/brand?form=search-form"></script>
<hr class="divider" />
<div id="poweredBy">
<div class="clear"></div>
<div class="clear"></div>
<div class="clear"></div>
<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy">
<img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" />
</a>
</div>
</div>
</div>
<div id="bodyColumn" class="span9" >
<!-- ~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License. -->
<div class="section">
<h2><a name="Table_of_Contents"></a>Table of Contents</h2>
<ul>
<li><a href="#Table_of_Contents">Table of Contents</a></li>
<li><a href="#The_challenge_of_server_security">The challenge of server security</a></li>
<li><a href="#Is_SOAP_fundamentally_insecure">Is SOAP fundamentally insecure?</a></li>
<li><a href="#Common_Attack_Types">Common Attack Types</a>
<ul>
<li><a href="#Special_XML_attacks">Special XML attacks</a></li></ul></li>
<li><a href="#Authenticating_the_caller">Authenticating the caller</a></li>
<li><a href="#Securing_your_Services">Securing your Services</a>
<ul>
<li><a href="#XML_attacks">XML attacks</a></li>
<li><a href="#Session_Theft">Session Theft</a></li>
<li><a href="#DOS_attacks_via_load-intensive_operations">DOS attacks via load-intensive operations</a></li>
<li><a href="#Parameter_Attacks">Parameter Attacks</a></li>
<li><a href="#CrossSiteScripting">CrossSiteScripting</a></li></ul></li>
<li><a href="#Securing_Axis">Securing Axis</a>
<ul>
<li><a href="#Disguise">Disguise</a></li>
<li><a href="#Cut_down_the_build">Cut down the build</a></li>
<li><a href="#Rename_things">Rename things</a></li>
<li><a href="#Stop_AxisServlet_listing_services">Stop AxisServlet listing services</a></li>
<li><a href="#Keep_stack_traces_out_of_the_responses">Keep stack traces out of the responses</a></li>
<li><a href="#Stop_autogenerating_WSDL">Stop autogenerating WSDL</a></li>
<li><a href="#Servlets2.3:_use_filters_for_extra_authentication">Servlets2.3: use filters for extra authentication</a></li>
<li><a href="#Log_things">Log things</a></li>
<li><a href="#Run_Axis_with_reduced_Java_rights">Run Axis with reduced Java rights</a></li>
<li><a href="#Run_the_web_server_with_reduced_rights">Run the web server with reduced rights</a></li>
<li><a href="#Monitor_Load">Monitor Load</a></li>
<li><a href="#Consider_tripwire_and_honeypot_endpoints">Consider 'tripwire' and 'honeypot' endpoints</a></li>
<li><a href="#Monitor_the_Mailing_Lists">Monitor the Mailing Lists</a></li></ul></li>
<li><a href="#What_to_do_if_you_find_a_security_hole_in_Axis">What to do if you find a security hole in Axis</a></li>
<li><a href="#Automate_Security_Tests">Automate Security Tests</a></li>
<li><a href="#Conclusions">Conclusions</a></li></ul>
</div>
<div class="section">
<h2><a name="The_challenge_of_server_security"></a>The challenge of server security</h2>
<p>A standard attack on a web site is usually that of identifying and abusing badly written CGI scripts. Anything that gives read access to the file system is a security hole, letting people get at the code behind the site, often including database passwords and other sensitive data, plus of course there are the core parts of the underlying platform, which may contain important information: passwords, credit card lists, user-private information, and the like. Unauthorized access to this data can be embarrasing and expensive.</p>
<p>Having write access to the system leads to even greater abuses; defaced web sites may be created, spoof endpoints written to capture caller's data, or the database directly manipulated.</p>
</div>
<div class="section">
<h2><a name="Is_SOAP_fundamentally_insecure"></a>Is SOAP fundamentally insecure?</h2>
<p>Some people, such as <a class="externalLink" href="http://www.counterpane.com/crypto-gram-0006.html">Bruce Schneier</a>, have claimed that SOAP is a security disaster in the making, because of its ability to punch through firewalls. However, because in SOAP over HTTP the client can only make SOAP calls, not receive them, SOAP is no more insecure than any other application which POSTs XML files to a web server. The clients are safe unless the server (or its DNS address) have been subverted; the server is vulnerable, and does need to be secured.</p>
<p>Similarly, <a class="externalLink" href="http://webservices.xml.com/pub/a/ws/2003/03/04/security.html">Bilal Siddiqui</a> makes the claim that <i>SOAP cannot distinguish between sensitive and non-sensitive web services and cannot perform user authentication, authorization, and access control.</i></p>
<p>Again, this is another example of excess panic, perhaps combined with a lack of knowledge of how SOAP servers are implemented. You do not need to follow this author's advice and have separate SOAP servers for every level of sensitivity, or XML and SOAP aware firewalls, any more than you need separate Web Servers for different users, or require HTTP aware routers to restrict parts of a web server to different IP addresses.</p>
</div>
<div class="section">
<h2><a name="Common_Attack_Types"></a>Common Attack Types</h2>
<ul>
<li>Denial of Service to a server</li>
<li>Interception and manipulation of messages</li>
<li>Forged client requests</li>
<li>Forged server responses</li>
<li>attempts to read the server file system/database</li>
<li>Attempts to write to the server file system/database</li>
</ul>
<p>The most significant security risk comes from the fact that you are writing code to provide functionality to calling programs. If that functionality is offered to the wrong people, or if the code you wrote creates a security hole, &quot;unexpected functionality&quot;, then you have a problem.</p>
<p>There is a large body of literature which covers securing web sites, such as the <a class="externalLink" href="http://www.owasp.org/">Open Web Application Security Project</a> Top Ten List of vulnerabilities, and their Guide to Building Secure Web Applications.</p>
<div class="section">
<h3><a name="Special_XML_attacks"></a>Special XML attacks</h3>
<p>XML messages have a few intrinsic weakness, that Web Service creators should know about. None of these problems are unique to SOAP; anyone processing incoming XML needs to know and resist these.</p>
<ol style="list-style-type: decimal">
<li>Large XML Documents<br />
Have a client post an XML doc of extreme length/depth &lt;foo&gt;&lt;foo&gt;&lt;foo&gt;...&lt;/foo&gt;&lt;/foo&gt;&lt;/foo&gt; This does bad things to DOM parsers and memory consumption on the server: a DoS attack. The issue here is that the costs of handling a large XML document are much greater than the cost of generating one.</li>
<li>Entity Expansion Attacks.<br />
If an XML doc header declares some recursive entity declarations, and the file refers to them, then bad things happen. Axis became immune to this between versions 1.0 and 1.1.</li>
<li>Entities referring to the filesystem.<br />
Here you declare an entity referring to a local file, then expand it. Result: you may be able to probe for files, perhaps even get a copy of it in the error response. As Axis does not support entities any more, it resists this. If your code has any way of resolving URLs from incoming messages, you may recreate this problem.</li>
</ol>
<p>The other thing to know about XML is that string matching is not enough to be sure that the content is safe, because of the many ways to reformat the same XML.</p>
</div>
</div>
<div class="section">
<h2><a name="Authenticating_the_caller"></a>Authenticating the caller</h2>
<p>The new Web Service security proposals offer to authenticate your callers to your end point, and vice-versa. Axis does not yet implement these, but we do support XML signatures via <a class="externalLink" href="http://xml.apache.org/security/index.html">a sister project.</a></p>
<p>The other approach is to validate at the transport level, using HTTPS. Configuring your web server to support https is definitely beyond the scope of Axis documentation: consult your server docs. To support https in the Axis client, you need to ensure the client has https support in the runtime. This is automatic for Java1.4+; older versions need to add JSSE support through Sun or an alternate provider.</p>
<p>Once you have HTTPS working at both ends you need to have the client trust the server certificate -usually automatic for those signed by central certification authorities, a manual process for home rolled certificates.</p>
<p>Clients can authenticate themselves with client certificates, or HTTP basic authentication. The latter is too weak to be trustable on a non-encrypted channel, but works over HTTPS. The <tt>MessageContext</tt> class will be configured with the username and password of the sender when SOAP messages are posted to the endpoint; use the appropriate getters to see these values. Note that Axis does not <i>yet</i> integrate with the servlet API
authentication stuff. Although the forms authentication is literally off-axis when it comes to SOAP calls, the UserPrincipal notion and integration with server configuration gives some incentive for integration. (this is a hint to developers out there)</p>
<p>Axis does not (yet) support HTTP1.1 Digest Authentication; if it does get added it will be via the <a class="externalLink" href="http://jakarta.apache.org/commons/httpclient/">HttpClient</a> libraries.</p>
</div>
<div class="section">
<h2><a name="Securing_your_Services"></a>Securing your Services</h2>
<p>One of the key security holes in any Web Service is the code you write yourself. It won't have as many eyes examining it as the Axis source gets, deadlines get in the way of rigorous testing, and a complex web service will bind to the valued items: private data, databases, other servers, etc, that you want to defend against.</p>
<p>The key to this is not to trust the caller: their identity, their IP address and most of all, their data. Here are some attacks to consider.</p>
<div class="section">
<h3><a name="XML_attacks"></a>XML attacks</h3>
<p>We listed these attacks earlier. If your service takes XML from an attachment, or in a base-64 encoded string, parsing it as a standalone document, then you are exposed to all these attacks. Also watch out for standard XML syntaxes that integrate xlink or other ways of describing URLs to fetch -such as SVG. You need to ensure the renderer only fetches approved URLs.</p>
</div>
<div class="section">
<h3><a name="Session_Theft"></a>Session Theft</h3>
<p>Axis uses a good random number generator to generate session IDs, but someone listening to an unencrypted conversation could hijack a session and send in new messages. Recording sender info, such as the originating IP address helps, though beware of proxied systems (e.g. AOL) that may change the apparent origin of calls mid-session.</p>
</div>
<div class="section">
<h3><a name="DOS_attacks_via_load-intensive_operations"></a>DOS attacks via load-intensive operations</h3>
<p>Any request that takes time to process is a DOS attack target, as it ties up the CPUs. Authenticate before long requests, and consider watchdog threads to track really long execution times. If any bug causes a request to spin forever.</p>
</div>
<div class="section">
<h3><a name="Parameter_Attacks"></a>Parameter Attacks</h3>
<p>If any parameter in the XML is fed straight into a database query, or some other routine that depends on valid data, then that data <i>must</i> be validated. Otherwise someone malicious could send a database update request, or some other string which lets a malicious user manipulate the system. This could even be as simple as changing their UserID in a request from that they set up in the session. Database attacks come from any situation
where a parameter is inserted into an SQL query; the insertion of a semicolon &quot;;&quot; often permits the caller to append a whole new SQL command to the end of the first, and have it executed with the rights of the Web Service.</p>
<p>The key to defending against malicious parameters is to validate all data. Only accept a string containing only the characters/regular expression expected, and check its length. Better yet apply any other higher level checks 'userID==session.userID' that you can. Prepared Statements are the followon way of defending against SQL injection, as the JDBC runtime handles escaping of things. Don't try and build SQL strings by hand; it is a recipe for security holes.</p>
<p>Note that this would seem to argue strongly against mapping Session EJB objects to SOAP Endpoints. This is not the case. The Session bean must merely assume that all incoming data is untrusted, and so validate it all before processing further. This is exactly the kind of task a <a class="externalLink" href="http://martinfowler.com/eaaCatalog/serviceLayer.html"><i>Service Layer</i></a> should be doing.</p>
</div>
<div class="section">
<h3><a name="CrossSiteScripting"></a>CrossSiteScripting</h3>
<p>In theory, a pure Web Service should be immune to XSS attacks, at least those that rely on having uploaded script displayed in an HTML Web Page server-side, script that is executed when the client views it. But the moment one takes Axis and integrates with one's own webapplication, any loopholes in the rest of the webapp expose this exact problem. We don't think Axis itself is vulnerable, because although it may include supplied data in a SOAPFault, this is displayed as XML, not HTML. Clients which don't distinguish the two could be an issue, as could anything we missed, especially in GET handling.</p>
</div>
</div>
<div class="section">
<h2><a name="Securing_Axis"></a>Securing Axis</h2>
<p>A core philosophy is 'defend in depth', with monitoring for trouble.</p>
<div class="section">
<h3><a name="Disguise"></a>Disguise</h3>
<p>One tactic here is to hide the fact that you are running Axis...look at all the headers that we send back to describe the service, and if any identify Axis, edit that constant in the source. While obscurity on its own is inadequate; it can slow down attacks or make you seem less vulnerable to known holes.</p>
</div>
<div class="section">
<h3><a name="Cut_down_the_build"></a>Cut down the build</h3>
<p>Rebuild Axis without bits of it you don't need. This is a very paranoid solution, but keeps the number of potential attack points down. One area to consider is the 'instant SOAP service' feature of JWS pages. They, along with JSP pages, provide anyone who can get text files onto the web application with the ability to run arbitrary Java code.</p>
</div>
<div class="section">
<h3><a name="Rename_things"></a>Rename things</h3>
<p>The AxisServlet, the AdminService, even happyaxis.jsp are all in well known locations under the webapp, which is called 'axis' by default. Rename all of these, by editing web.xml for the servlet, server-config.wsdd for the AdminService; the others are just JSP and WAR files you can rename. You may not need the AdminService once you have generated the server config on a development machine.</p>
</div>
<div class="section">
<h3><a name="Stop_AxisServlet_listing_services"></a>Stop AxisServlet listing services</h3>
<p>To do this, set the Axis global configuration property <tt>axis.enableListQuery</tt> to false.</p>
</div>
<div class="section">
<h3><a name="Keep_stack_traces_out_of_the_responses"></a>Keep stack traces out of the responses</h3>
<p>By default, Axis ships in <i>production</i> mode; stack traces do not get sent back to the caller. If you set <tt>axis.development.system</tt> to true in the configuration, stack traces get sent over the wire in faults. This exposes internal information about the implementation that may be used in finding weaknesses.</p>
</div>
<div class="section">
<h3><a name="Stop_autogenerating_WSDL"></a>Stop autogenerating WSDL</h3>
<p>Trusted partners can still be given a WSDL file through email, or other means; there is no need to return the WSDL on a production server. How do you stop Axis returning WSDL? Edit the .wsdd configuration file, as described in the <a href="reference.html#Individual_Service_Configuration">reference</a>, to return a WSDL resource which is simply an empty &lt;wsdl/&gt; tag.</p>
</div>
<div class="section">
<h3><a name="Servlets2.3:_use_filters_for_extra_authentication"></a>Servlets2.3: use filters for extra authentication</h3>
<p>Servlets 2.3 lets you use filters to look at all incoming requests and filter them however you like -including validating IP address, caller credentials, etc. Caller address validation is useful for securing admin services and pages, even when other endpoints are public. Of course, router configuration is useful there too.</p>
</div>
<div class="section">
<h3><a name="Log_things"></a>Log things</h3>
<p>Although full logs are a DoS attack tactic in themselves, logging who sends messages is often useful, for auditing and keeping track of what is going on. Add more log4j tags to whatever bit of Axis appeals to you to do this.</p>
</div>
<div class="section">
<h3><a name="Run_Axis_with_reduced_Java_rights"></a>Run Axis with reduced Java rights</h3>
<p>Java has a powerful and complex security system. Use it to configure Axis with reduced rights. Axis tries to write to WEB-INF/server-config.wsdd when updating the server config; and somewhere else (its configurable) when saving compiled .jws pages.</p>
</div>
<div class="section">
<h3><a name="Run_the_web_server_with_reduced_rights"></a>Run the web server with reduced rights</h3>
<p>On Unix this is pretty much a given, but even on Windows NT and successors you can run a service as a different user. Make it one with limited rights. Make sure the core of the system has its access permissions tightened up so that the restricted-rights user can not get at things it shouldn't.</p>
</div>
<div class="section">
<h3><a name="Monitor_Load"></a>Monitor Load</h3>
<p>To track DoS attacks, a load monitor is useful. <tt>AxisBaseServlet</tt> tracks the number of callers inside its subclasses at any point in time; the <tt>AdminServlet</tt> shows how to get at this data.</p>
</div>
<div class="section">
<h3><a name="Consider_tripwire_and_honeypot_endpoints"></a>Consider 'tripwire' and 'honeypot' endpoints</h3>
<p>With the core endpoints moved, why not create tripwire implementations of the admin endpoint, or a spoof endpoint listing under Axis/AdminServlet pointing to a honeypot endpoint that does nothing but send an alert when anyone sends a SOAP message to it. You then need a policy to act on the alerts, of course. A real honeypot would emulate an entire back end service -it would be an interesting little experiment to build and play with.</p>
</div>
<div class="section">
<h3><a name="Monitor_the_Mailing_Lists"></a>Monitor the Mailing Lists</h3>
<p>We tend to discuss security on Axis-Dev, whenever it is an issue, but if demand is high we may add an axis-announce mailing list for important announcements.</p>
</div>
</div>
<div class="section">
<h2><a name="What_to_do_if_you_find_a_security_hole_in_Axis"></a>What to do if you find a security hole in Axis</h2>
<p>These days a lot of people love to make a name for themselves by finding security holes, and Axis, as part of the Apache product family, is a potential target. A hole in Axis could make many Web Services vulnerable, so could be serious indeed. So far we have only found a few of these, primarily in quirks of XML parsing rather than anything else.</p>
<ol style="list-style-type: decimal">
<li>Don't Panic. We have a process in place for verifying and fixing holes.</li>
<li>Don't rush to issue the press release to BugTraq. It is polite to let us know, and even verify that you are correct.</li>
<li>Test against the latest CVS version, not the (older) release builds. We may like already have fixed it, hacker dudes :-)</li>
<li>Email security@apache.org. Not the public axis-dev list, not jira. The security alias list is a list with representives from all Apache projects, so your report will be taken seriously.</li>
<li>Let us do a fix if possible, so we can announce that a fix is ready when you announce your finding. This doesn't take any of the credit way from the finder, just stops people panicing.</li>
</ol>
</div>
<div class="section">
<h2><a name="Automate_Security_Tests"></a>Automate Security Tests</h2>
<p>If you find a security problem, write a test for it, such as a JUnit or HttpUnit test, so that you can regression test the application and installations for the problem. This is particularly important where it is a configuration problem that creates the hole; it is almost inevitable the same problem will re-occur on future installations.</p>
</div>
<div class="section">
<h2><a name="Conclusions"></a>Conclusions</h2>
<p>We have shown some of the issues with Web Service security, things you need to think of in your own service, and how to harden Axis itself. Securing a system is much harder than getting a system to work, as 'work' usually means 'one or two non-critical bugs are OK'. From a security perspective, no security holes can exist for a system to be secure: no matter how obscure it is, someone may find it and exploit it. Be paranoid: you know it makes sense.</p>
<p>Finally, don't get put off writing SOAP services through a fear of the security implications. Any CGI-BIN or ASP/JSP page that takes parameters is as much of a security risk as a SOAP endpoint. For some reason, SOAP attracts dramatic press stories about infinite risk, perhaps because it is new and unknown. It isn't: it is XML posted to a web application, that's all. Only if you are scared of that, should you not write a SOAP service.</p>
</div>
</div>
</div>
</div>
<hr/>
<footer>
<div class="container-fluid">
<div class="row span12">Copyright &copy; 2000-2015
<a href="http://www.apache.org/">The Apache Software Foundation</a>.
All Rights Reserved.
</div>
</div>
</footer>
</body>
</html>