IT life: Apache CXF. Disable WADL schema generation.

Some time ago the project that I am working on was examined for vulnerabilities. One of the security item was public point for WADL schema. Basically using simple URL like this:

http://localhost:8080/myservice/client?_wadl

user can see the entire WADL of webservices. We decided to remove it. First of all we can disable it only since Apache CXF version 2.4.2:

The first step is to create WadlGenerator object with required configuration.

<bean id="wadlGenerator" class="org.apache.cxf.jaxrs.model.wadl.WadlGenerator">
        <property name="ignoreRequests" value="true"/>
    </bean>

Set wadlGenerator bean to the service providers

<jaxrs:server id="clientService" address="/clientservice">
        <jaxrs:serviceBeans>
            <ref bean="clientBean" />
        </jaxrs:serviceBeans>
        <jaxrs:extensionMappings>
            <entry key="json" value="application/json"/>
            <entry key="xml" value="application/xml"/>
        </jaxrs:extensionMappings>
        <jaxrs:providers>
            <ref bean="jaxbProvider"/>
            <ref bean="wadlGenerator" />
        </jaxrs:providers>
    </jaxrs:server>

IT life

Wednesday, May 30, 2012

Apache CXF. Disable WADL schema generation.

No comments:

Post a Comment