Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:

    After the recent fix for the CVE-2021-26295[1] we discussed with the security
    team about the opportunity need to comment out the SOAP and HTTP engines
    like we did in the past for RMI[2], this obviously for security reason.

    [1] OFBIZ-12167 "Adds a blacklist (to be
    renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
    [2] OFBIZ-6942 "Comment out RMI related
    code because of the Java deserialization issue [CVE-2016-2170] "

I just put a small comment in webtools controller, it should be enough.

The tests pass

Author: JacquesLeRoux

framework/common/servicedef/services_test.xml

@@ -71,13 +71,13 @@ under the License.
 
     <service name="groupTest" engine="group" location="testGroup" invoke=""/>
 
-    <service name="testHttp" engine="http" location="main-http" invoke="testScv">
+<!--     <service name="testHttp" engine="http" location="main-http" invoke="testScv">
         <description>HTTP service wrapper around the test service</description>
         <attribute name="message" type="String" mode="IN" optional="true"/>
         <attribute name="resp" type="String" mode="OUT"/>
-    </service>
+    </service> -->
 
-    <service name="testSoap" engine="soap" export="true" location="main-soap" invoke="testSOAPScv">
+<!--     <service name="testSoap" engine="soap" export="true" location="main-soap" invoke="testSOAPScv">
         <description>SOAP service; calls the OFBiz test SOAP service</description>
         <implements service="testSOAPScv"/>
     </service>
@@ -87,25 +87,25 @@ under the License.
         <implements service="testScv"/>
     </service>
 
-    <!--  test service for local loopback testing (OFBiz Client SOAP -> OFBiz Server SOAP)  
-        https://ofbiz-vm2.apache.org:8443/webtools/control/SOAPService is the ultimate location for the testRemoteSoap 
+     test service for local loopback testing (OFBiz Client SOAP -> OFBiz Server SOAP)
+        https://ofbiz-vm2.apache.org:8443/webtools/control/SOAPService is the ultimate location for the testRemoteSoap
         It's redirected from https://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService by the HTTPD frontend installed by Puppet in the demo server, ie ofbiz-vm2.apache.org
         We could use also http://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService but HSTS would sent it to https anyway
-        So this can be used only against trunk demo and is not in the tests set to avoid a dependency on Internet -->
-    <service name="testRemoteSoap" engine="soap" export="true" 
+        So this can be used only against trunk demo and is not in the tests set to avoid a dependency on Internet
+    <service name="testRemoteSoap" engine="soap" export="true"
         location="https://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService"
         invoke="testSoapSimple">
         <attribute name="defaultValue" type="Double" mode="IN" default-value="999.9999"/>
         <attribute name="message" type="String" mode="IN" optional="true"/>
         <attribute name="resp" type="String" mode="OUT"/>
     </service>
 
-    <!-- FIXME For now, not sure why, the 4 remote SOAP services below don't work -->
+    FIXME For now, not sure why, the 4 remote SOAP services below don't work
     
-    <!-- the location = endpoint = SOAP action -->
-    <!-- invoke parameter is the name of the operation to invoke, for example LatLonListZipCode -->
-    <!-- invoke parameter is needed when there are several possible operations for the SOAP action  -->
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    the location = endpoint = SOAP action
+    invoke parameter is the name of the operation to invoke, for example LatLonListZipCode
+    invoke parameter is needed when there are several possible operations for the SOAP action
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap1" engine="soap" export="true"
         location="http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php"
         invoke="LatLonListZipCode">
@@ -118,10 +118,10 @@ under the License.
         <attribute name="result" type="String" mode="OUT"/>
     </service>
     
-    <!-- the location = endpoint = SOAP action -->
-    <!-- invoke parameter is the name of the operation to invoke, for example LatLonListCityNames -->
-    <!-- invoke parameter is needed when there are several possible operations for the SOAP action  -->
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    the location = endpoint = SOAP action
+    invoke parameter is the name of the operation to invoke, for example LatLonListCityNames
+    invoke parameter is needed when there are several possible operations for the SOAP action
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap2" engine="soap" export="true"
         location="http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php"
         invoke="LatLonListCityNames">
@@ -134,7 +134,7 @@ under the License.
         <attribute name="result" type="String" mode="OUT"/>
     </service>
 
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap3" engine="soap" export="true"
         location="http://www.restfulwebservices.net/wcf/EmailValidationService.svc"
         invoke="EmailValidationService">
@@ -143,13 +143,13 @@ under the License.
         <attribute name="result" type="String" mode="OUT"/>
     </service>
     
-    <!-- FIXME For now, not sure why, this remote SOAP service does not work -->
+    FIXME For now, not sure why, this remote SOAP service does not work
     <service name="testRemoteSoap4" engine="soap" export="true"
         location="http://www.webservicex.net/geoipservice.asmx"
         invoke="GetGeoIPContext">
         <attribute name="invoke" type="String" mode="IN" />
         <attribute name="result" type="String" mode="OUT"/>
-    </service>
+    </service> -->
 
     <service name="testGroovy" engine="groovy" location="component://common/groovyScripts/GroovyServiceTest.groovy" invoke="">
         <description>Test Groovy Script Service</description>

framework/common/webcommon/WEB-INF/handlers-controller.xml

@@ -24,7 +24,7 @@ under the License.
 
     <!-- event handlers -->
     <handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
-    <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/>
+    <!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
     <handler name="xmlrpc" type="request" class="org.apache.ofbiz.webapp.event.XmlRpcEventHandler"/>
     <handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
     <handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>

framework/service/config/serviceengine.xml

@@ -52,10 +52,10 @@ under the License.
         <engine name="javascript" class="org.apache.ofbiz.service.engine.ScriptEngine"/>
         <!--  -->
         <engine name="route" class="org.apache.ofbiz.service.engine.RouteEngine"/>
-        <engine name="http" class="org.apache.ofbiz.service.engine.HttpEngine"/>
+        <!-- <engine name="http" class="org.apache.ofbiz.service.engine.HttpEngine"/> -->
         <engine name="jms" class="org.apache.ofbiz.service.jms.JmsServiceEngine"/>
         <engine name="rmi" class="org.apache.ofbiz.service.rmi.RmiServiceEngine"/>
-        <engine name="soap" class="org.apache.ofbiz.service.engine.SOAPClientEngine"/>
+        <!-- <engine name="soap" class="org.apache.ofbiz.service.engine.SOAPClientEngine"/> -->
         <!-- The engine xml-rpc-local is only used by a test service and for this reason it is configured to run on port 8080.
              In order to use this in OFBiz change the port accordingly (for demo the default value is 8080)
         -->
@@ -66,14 +66,14 @@ under the License.
         </engine>
 
         <service-location name="main-rmi" location="rmi://localhost:1099/RMIDispatcher"/>
-        <service-location name="main-http" location="http://localhost:8080/webtools/control/httpService"/>
-        <service-location name="main-soap" location="http://localhost:8080/webtools/control/SOAPService"/>
+        <!-- <service-location name="main-http" location="http://localhost:8080/webtools/control/httpService"/>
+        <service-location name="main-soap" location="http://localhost:8080/webtools/control/SOAPService"/> -->
 
         <service-location name="entity-sync-rmi" location="rmi://localhost:1099/RMIDispatcher"/>
-        <service-location name="entity-sync-http" location="https://localhost:8443/webtools/control/httpService"/>
+        <!-- <service-location name="entity-sync-http" location="https://localhost:8443/webtools/control/httpService"/> -->
 
         <service-location name="rita-rmi" location="rmi://localhost:1099/RMIDispatcher"/>
-        <service-location name="eedcc-test" location="https://localhost:8443/webtools/control/httpService"/>
+        <!-- <service-location name="eedcc-test" location="https://localhost:8443/webtools/control/httpService"/> -->
 
         <!-- default notification group for all services loaded with 'main' loader
              - uncomment this to enable error notification for all services

framework/service/testdef/servicetests.xml

@@ -22,7 +22,7 @@ under the License.
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/test-suite.xsd">
     <test-case case-name="service-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceEngineTests"/></test-case>
-    <test-case case-name="service-soap-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceSOAPTests"/></test-case>
+    <!-- <test-case case-name="service-soap-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceSOAPTests"/></test-case> -->
     <test-case case-name="service-entity-auto-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceEntityAutoTests"/></test-case>
 
     <test-case case-name="load-service-test-data">

framework/webtools/webapp/webtools/WEB-INF/controller.xml

@@ -86,7 +86,8 @@ under the License.
     </request-map>
 
     <!-- Begin Utility Requests -->
-    <request-map uri="httpService">
+    <!-- The 2 services below have been commented out for security reason, see OFBIZ-12212  -->
+    <!-- <request-map uri="httpService">
         <event type="java" path="org.apache.ofbiz.service.engine.HttpEngine" invoke="httpEngine"/>
         <response name="success" type="none"/>
         <response name="error" type="none"/>
@@ -96,7 +97,7 @@ under the License.
         <event type="soap"/>
         <response name="error" type="none"/>
         <response name="success" type="none"/>
-    </request-map>
+    </request-map> -->
     <request-map uri="xmlrpc" track-serverhit="false" track-visit="false">
         <security auth="true"/>
         <event type="xmlrpc"/>