Hi all, I would like to open a discussion about removing SOAP support from OFBiz - both the SOAP endpoint that exposes our services and the soap service engine that calls external SOAP services - and I would like to hear where everyone stands before we do anything.
Here is where we already are. SOAP is effectively switched off out of the box. The SOAPService endpoint in webtools was commented out in 2021 as part of OFBIZ-12212 (CVE-2021-30128), alongside the HTTP engine, for security reasons - the same way the RMI engine was commented out back in 2016 (OFBIZ-6942) over the Java deserialization issue. The soap service engine in serviceengine.xml is commented out as well. So on a default build there is no SOAP in either direction today: we ship the code, but nobody can use it without deliberately turning it back on against that security guidance. Because it is off and unused, the SOAP and WSDL code has quietly accumulated a backlog of bugs that nobody fixes. OFBIZ-743 (2007), OFBIZ-3300 (2009), OFBIZ-4245 (2011) and OFBIZ-6921 (2016) are all still open, some for well over a decade. That is a fair signal in itself: a subsystem that is disabled, unmaintained, and security-sensitive is a liability to carry. The wider picture is even clearer. The industry has moved off SOAP, including the very services OFBiz has historically integrated with. FedEx is retiring its legacy SOAP web services entirely, with the last endpoints going away in mid-2026, in favor of REST. UPS already turned off its legacy XML/SOAP APIs in June 2024 and now requires REST with JSON and OAuth 2.0. eBay ended support for its SOAP-era Trading API back in 2021 and points everyone at its REST APIs. The common thread is REST and JSON with OAuth - lighter, faster, better tooled, and far simpler to consume than SOAP envelopes and WSDLs. OFBiz has moved the same way, with the REST API plugin now the modern path for remote access. So my question to the community: is it time to remove SOAP from OFBiz entirely - the SOAP event handler, the soap service engine, the SOAP serializer, the WSDL generation, and the related test services - rather than keep carrying a disabled, unmaintained, security-sensitive subsystem that talks a protocol the ecosystem has left behind? RMI is in a similar disabled-but-still-present state and could reasonably be part of the same cleanup conversation. If anyone is actively using SOAP with OFBiz, or has a reason we should keep it even in its disabled form, please speak up - that is exactly what I want to understand before proposing a removal. If we agree it has run its course, I will raise a Jira issue and take it forward the same way we have handled other dead code recently. Thanks and Regards Anil Patel CEO HotWax Systems http://www.hotwaxsystems.com
