Open Source Document Management System | OpenKM

Hello,

We have performed a pentest to openkm app, and there were two issues that need to be fixed related to webservices page.

The first issue: lack of authentication to access the url www.url.com/OpenKM/services. The recommended mitigation action was to either setup authentication on this page or disable it.
May you guide us please on how to perform one of these two actions?

The second issue: technical information disclosure, also on /OpenKM/services/* and /OpenKM/services/rest/swagger.json.
The mitigation action proposed for this one is either define customized error messages, or generate exceptions at the code level and not send these info to the client browser.
Do you have any recommendation to perform this action?

Thanks in advance

OpenKM CE comes with REST services and the old SOAP services ( I think in the near, middle future we will remove SOAP, because for us is a deprecated technology ). Anyway, because you wish to build a jar SOAP client it is a good idea do not to have these resources authenticated. If compare with API, for example, OpenKM/rest/* these are authenticated.

The reason is what I explained before, to facilitate the build of the SOAP client.

but what if i dont want to use SOAP? i only use REST API from services, may I disable that page (OpenKM/services) or authenticate it? if so, could you give me some indications on how to do that?
Thanks

Should modify the source code and remove unwished web services.