+1 -- Kind Regards, Ashish Vijaywargiya Vice President of Operations *HotWax Systems* *Enterprise open source experts* http://www.hotwaxsystems.com
On Fri, Jul 3, 2026 at 6:22 PM Anil Patel <[email protected]> wrote: > Hi all, > > I would like to open a discussion about removing SOAP support from OFBiz - > both the SOAP endpoint that exposes our services and the soap service > engine that calls external SOAP services - and I would like to hear where > everyone stands before we do anything. > > > Here is where we already are. SOAP is effectively switched off out of the > box. The SOAPService endpoint in webtools was commented out in 2021 as part > of OFBIZ-12212 (CVE-2021-30128), alongside the HTTP engine, for security > reasons - the same way the RMI engine was commented out back in 2016 > (OFBIZ-6942) over the Java deserialization issue. The soap service engine > in serviceengine.xml is commented out as well. So on a default build there > is no SOAP in either direction today: we ship the code, but nobody can use > it without deliberately turning it back on against that security guidance. > > > Because it is off and unused, the SOAP and WSDL code has quietly > accumulated a backlog of bugs that nobody fixes. OFBIZ-743 (2007), > OFBIZ-3300 (2009), OFBIZ-4245 (2011) and OFBIZ-6921 (2016) are all still > open, some for well over a decade. That is a fair signal in itself: a > subsystem that is disabled, unmaintained, and security-sensitive is a > liability to carry. > > > The wider picture is even clearer. The industry has moved off SOAP, > including the very services OFBiz has historically integrated with. FedEx > is retiring its legacy SOAP web services entirely, with the last endpoints > going away in mid-2026, in favor of REST. UPS already turned off its legacy > XML/SOAP APIs in June 2024 and now requires REST with JSON and OAuth 2.0. > eBay ended support for its SOAP-era Trading API back in 2021 and points > everyone at its REST APIs. The common thread is REST and JSON with OAuth - > lighter, faster, better tooled, and far simpler to consume than SOAP > envelopes and WSDLs. OFBiz has moved the same way, with the REST API plugin > now the modern path for remote access. > > > So my question to the community: is it time to remove SOAP from OFBiz > entirely - the SOAP event handler, the soap service engine, the SOAP > serializer, the WSDL generation, and the related test services - rather > than keep carrying a disabled, unmaintained, security-sensitive subsystem > that talks a protocol the ecosystem has left behind? RMI is in a similar > disabled-but-still-present state and could reasonably be part of the same > cleanup conversation. > > > If anyone is actively using SOAP with OFBiz, or has a reason we should keep > it even in its disabled form, please speak up - that is exactly what I want > to understand before proposing a removal. If we agree it has run its > course, I will raise a Jira issue and take it forward the same way we have > handled other dead code recently. > > > Thanks and Regards > Anil Patel > CEO > HotWax Systems > http://www.hotwaxsystems.com >
