Hi guys, According to Nandana's article in WSO2 Security Vulnerabilities in Apache Axis2 1.4 / Rampart 1.4 and Avoiding Them <http://wso2.org/library/3787>Axis2 users should not attach security policy on the binding or port (as it should be according the ws security policy spec) but should instead use the portType.
Would not it be good to provide a configuration option to disable this legacy endpoint so that new Axis2 users can switch it on and attach policy to the binding without being afraid that their service will be vulnerable. Regards, Detelin