Win a copy of Testing JavaScript Applications this week in the HTML Pages with CSS and JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
Bartenders:
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Webservice method exposure in Websphere Application Server

 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a SOAP web service deployed in Web Sphere Application Server version 7.0.

I am testing the web service using soapUI tool so that I can check the exact SOAP request and response.

The operation name is : fetchLocations

I changed the operation name in SOAP request to fetchLocations1.

Now when I am hitting the web service, it shows error message in fault string that such operation does not exist.

But it also mentions a detail level logging which exposes the Service class, package name, correct operation name, etc. The SOAP response is as below. I tried changing the log level in WAS to severe. But it's still printing a detail level log in SOAP response which is definitely a vulnerability of the web service.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">;
<soapenv:Header/>
<soapenv:Body>
<soapenv:Fault>
<faultcode>soapenv:Client</faultcode>
<faultstring>WSWS3277E: Error: Could not resolve to an operation. The message contains an element named ""{http://stock.service.abc.com}fetchLocations1"", but this does not match any operation of the target port. Debug: name: services/stockService
implClass: class com.abc.service.stock.stockService
implClassLoader:
com.ibm.ws.classloader.CompoundClassLoader@6da76da7[war:stockService_war/stockService.war]
Local ClassPath: C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\WASPDNode01Cell\stockService_war.ear\stockService.war\WEB-INF\classes;C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\WASPDNode01Cell\stockService_war.ear\stockService.war\WEB-INF\lib\ojdbc14-9i.jar;C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\WASPDNode01Cell\stockService_war.ear\stockService.war
Parent: com.ibm.ws.classloader.CompoundClassLoader@6bbe6bbe[app:stockService_war]
Delegation Mode: PARENT_FIRST
defaultNS: null
endpointURL: null
OperationDesc[0]:
name: fetchLocations
returnQName: fetchLocationsReturn
returnType: {http://stock.service.abc.com}ArrayOfLocationDTO
returnClass: class [Lcom.abc.service.stock.LocationDTO;
elementQName:{http://stock.service.abc.com}fetchLocations
soapAction: fetchLocations
style: wrapped
use: literal
numInParams: 1
properties:
KEY(ResponseNamespace)
VALUE(http://stock.service.abc.com)
KEY(ResponseLocalPart)
VALUE(fetchLocationsResponse)
KEY(buildNum)
VALUE(r0834.28)
KEY(ServiceQName)
VALUE({http://stock.service.abc.com}stockServiceService)
KEY(portTypeQName)
VALUE({http://stock.service.abc.com}stockService)
KEY(inputMessageQName)
VALUE({http://stock.service.abc.com}fetchLocationsRequest)
KEY(outputName)
VALUE(fetchLocationsResponse)
KEY(usingAddressing)
VALUE(false)
KEY(outputMessageQName)
VALUE({http://stock.service.abc.com}fetchLocationsResponse)
KEY(inoutOrderingReq)
VALUE(false)
KEY(inputName)
VALUE(fetchLocationsRequest)
KEY(targetNamespace)
VALUE(http://stock.service.abc.com)
method:public com.abc.service.stock.LocationDTO[] com.abc.service.stock.stockService.fetchLocations(java.lang.String)
ParameterDesc[0]:
identity: com.ibm.ws.webservices.engine.description.ParameterDesc@4d064d06
name: userId
mode: IN
isReturn: false
typeQName: {http://www.w3.org/2001/XMLSchema}string
javaType: class java.lang.String
javaSigType:class java.lang.String
inHeader: false
outHeader: false
minOccursIs0:false
maxOccursIs1:true
properties:
KEY(partName)
VALUE(string)
KEY(inputPosition)
VALUE(0)
KEY(partQNameString)
VALUE({http://www.w3.org/2001/XMLSchema}string)
</faultstring>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>




I created a similar web service in NetBeans and deployed in Tomcat which does not log in detail. The SOAP response from Tomcat is as below:\

<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">;
<S:Body>
<S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope">;
<faultcode>S:Client</faultcode>
<faultstring>Cannot find dispatch method for {http://stock.service.abc.com/}fetchLocations1</faultstring>
</S:Fault>
</S:Body>
</S:Envelope>




Kindly let me know how I can stop the detail level logging happening in WAS.
    Bookmark Topic Watch Topic
  • New Topic