Symptoms
We use the smartobject services to expose smo's as webservice endpoints. Because this is hosted in the public domain we would like to disable the /SmartObjectServices/endpoints/endpoints.xml. This file is hosted without any security and exposes a lot of information on the available endpoints. We already disabled the metadata with the EnableMetada=false property on the configuration, but that is just the metadata of the endpoints itself.
Diagnoses
The client wanted the the ability to hide sensitive data on the endpoints webservice because it exposes a lot of sensitive data and information.
I don?t think there is a setting to have the endpoints.xml file (ie http://dlx.denallix.com:8889/SmartObjectServices/endpoints/endpoints.xml) to be blocked or not available while SmartObejctServices (the web endpoints to execute a smartObject) is enabled.
We can log a feature request for that.
But here?s some other security considerations they should make...
You should not be exposing all SmartObjects ? In other words, do not set andltexcluded all="true"andgt to andltexcluded all="false"andgt.
You should rather specify only the smartObjects they want to be exposed publically in the static list of the configuration (Described here: http://help.k2.com/onlinehelp/k2blackpearl/devref/4.6.6/webframe.html#configuration2.html).
Preferably, you should also not set the SmartObjectServices to be available anonymously and should require authentication to execute these endpoints, but this isn?t always possible in all scenarios, especially because they want it available publicly.
Doing these two things would reduce the risk with allowing the endpoints.xml to be available because it exposes only what is necessary, and if authentication is in place, only authorized users can access the info in the SmartObjects.
And there is no other sensitive detail in the endpoints.xml file.
If it is still an issue, you can configure Firewall rules as a workaround to prevent external access to the endpoints.xml file.
Resolution
A feature request was logged so that this is included on a future release of K2