TLDR Is it possible to create an "alias" for the IP address (such as 0.0.0.0:8080/services as SERVER_1) or any other property on the WSDL content while someone's reading it? Similar to:
<entry key="org.apache.cxf.endpoint.private" value="true"/> For the services list, that keeps the functionality intact but hides the services list.
If yes, how? If not, is there a way to hide it without using @XmlTransient because if we used it, and from my understanding, the program wouldn't even map this element and thus no longer work.
I'm working with SOAP services using Spring and JAX-RS.
We're securing our apps, after an ethical hacking test, the results thrown that we were exposing services and production IP addresses on our URLs.
We were able to hide the services list from the web view, for example, if we access http://localhost:8080/foo/services we get this text:
No services have been found. Which is fine and we've done it by following this answer, but instead of being on cxf-servlet.xml file, it was on the applicationContext-{moduleName}.xml file.
Now, if we know, or have access to any of the WSDL paths, we can still see the WSDL contents (which includes production IP addresses), for example if we entered:
http://localhost:8080/foo/services/bar?_wsdl We have a similar definition as below (I edited it for security reasons):
<application xmlns="http://wsdl.dev.java.net/2009/02" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <grammars/> <resources base="http://localhost:8080/foo/services/bar"> <resource path="/VX"> <resource path="/anotherPath"> <method name="POST"> <request> <representation mediaType="application/x-www-form-urlencoded"> <param name="someParam" style="query" type="xs:string"/> </representation> </request> <response> <representation mediaType="application/json"> <param name="anotherParam" style="plain" type="xs:string"/> </representation> </response> </method> </resource> </resource> </resources> </application> How could I, for example edit on run time the property
<resources base="http://localhost:8080/foo/services/bar"> To something like
<resources base="SERVER_1"> So, we internally know what IP address does SERVER_1 has, but people outside that manage to get there doesn't, in other words how could I create an alias for the IP address and use it instead of the real ip address on it?
This is because we have about 10 servers, each with a different IP address, and if we need to do some production debugging we need to know which server we're in, so we would like to avoid hiding the whole WSDL content (as I know it can be done, because a module has this configuration).
I know I can use @XmlTransient annotation, but as per docs:
Prevents the mapping of a JavaBean property/type to XML representation.
So, in my understanding, if I use this annotation over the property containing the IP address, then it would no longer be working.
If this isn't possible, which other suggestions would you have in order to make a workaround for this particular case?
We create the services with top-down approach (i.e. we're given the WSDL and we use wsdl2java to create Java Objects + service interface from it)
1 Answers
Answers 1
TLDR: Use DNS to assign names to your IP addresses.
We're securing our apps, after an ethical hacking test, the results thrown that we were exposing services and production IP addresses on our URLs
You have a SOAP-Service. To use it one needs to know the address of the endpoint. So you'll "expose" it no matter what. Security through obscurity is not recommended.
So, we internally know what IP address does SERVER_1 has, but people outside that manage to get there doesn't, in other words how could I create an alias for the IP address and use it instead of the real ip address on it?
That's what DNS was invented for. An "alias" for the IP address. It's bad practise to use IP-Addresses for services. So set up a DNS (or use host files) to assign a name per IP address.
0 comments:
Post a Comment