+1

--
Kind Regards,
Ashish Vijaywargiya
Vice President of Operations
*HotWax Systems*
*Enterprise open source experts*
http://www.hotwaxsystems.com



On Fri, Jul 3, 2026 at 6:22 PM Anil Patel <[email protected]>
wrote:

> Hi all,
>
> I would like to open a discussion about removing SOAP support from OFBiz -
> both the SOAP endpoint that exposes our services and the soap service
> engine that calls external SOAP services - and I would like to hear where
> everyone stands before we do anything.
>
>
> Here is where we already are. SOAP is effectively switched off out of the
> box. The SOAPService endpoint in webtools was commented out in 2021 as part
> of OFBIZ-12212 (CVE-2021-30128), alongside the HTTP engine, for security
> reasons - the same way the RMI engine was commented out back in 2016
> (OFBIZ-6942) over the Java deserialization issue. The soap service engine
> in serviceengine.xml is commented out as well. So on a default build there
> is no SOAP in either direction today: we ship the code, but nobody can use
> it without deliberately turning it back on against that security guidance.
>
>
> Because it is off and unused, the SOAP and WSDL code has quietly
> accumulated a backlog of bugs that nobody fixes. OFBIZ-743 (2007),
> OFBIZ-3300 (2009), OFBIZ-4245 (2011) and OFBIZ-6921 (2016) are all still
> open, some for well over a decade. That is a fair signal in itself: a
> subsystem that is disabled, unmaintained, and security-sensitive is a
> liability to carry.
>
>
> The wider picture is even clearer. The industry has moved off SOAP,
> including the very services OFBiz has historically integrated with. FedEx
> is retiring its legacy SOAP web services entirely, with the last endpoints
> going away in mid-2026, in favor of REST. UPS already turned off its legacy
> XML/SOAP APIs in June 2024 and now requires REST with JSON and OAuth 2.0.
> eBay ended support for its SOAP-era Trading API back in 2021 and points
> everyone at its REST APIs. The common thread is REST and JSON with OAuth -
> lighter, faster, better tooled, and far simpler to consume than SOAP
> envelopes and WSDLs. OFBiz has moved the same way, with the REST API plugin
> now the modern path for remote access.
>
>
> So my question to the community: is it time to remove SOAP from OFBiz
> entirely - the SOAP event handler, the soap service engine, the SOAP
> serializer, the WSDL generation, and the related test services - rather
> than keep carrying a disabled, unmaintained, security-sensitive subsystem
> that talks a protocol the ecosystem has left behind? RMI is in a similar
> disabled-but-still-present state and could reasonably be part of the same
> cleanup conversation.
>
>
> If anyone is actively using SOAP with OFBiz, or has a reason we should keep
> it even in its disabled form, please speak up - that is exactly what I want
> to understand before proposing a removal. If we agree it has run its
> course, I will raise a Jira issue and take it forward the same way we have
> handled other dead code recently.
>
>
> Thanks and Regards
> Anil Patel
> CEO
> HotWax Systems
> http://www.hotwaxsystems.com
>

Reply via email to