Index: src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java
===================================================================
--- src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java	(revision 9637)
+++ src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java	(working copy)
@@ -30,8 +30,11 @@
 
 import org.jboss.logging.Logger;
 import org.jboss.ws.metadata.umdm.EndpointMetaData;
+import org.jboss.wsf.common.DOMUtils;
+import org.jboss.wsf.spi.SPIProvider;
+import org.jboss.wsf.spi.SPIProviderResolver;
 import org.jboss.wsf.spi.management.ServerConfig;
-import org.jboss.wsf.common.DOMUtils;
+import org.jboss.wsf.spi.management.ServerConfigFactory;
 import org.w3c.dom.Attr;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -88,11 +91,31 @@
       // get some imported resource
       else
       {
-         String impResourcePath = new File(wsdlLocation.getPath()).getParent() + File.separatorChar + resPath;
+         File wsdlLocFile = new File(wsdlLocation.getPath());
+         String impResourcePath = wsdlLocFile.getParent() + File.separatorChar + resPath;
          File impResourceFile = new File(impResourcePath);
+         String wsdlPublishLoc = epMetaData.getServiceMetaData().getWsdlPublishLocation();
 
-         Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
-         wsdlDoc = wsdlElement.getOwnerDocument();
+         log.debug("Importing resource file: " + impResourceFile.getCanonicalPath());
+
+         String wsdlLocFilePath = wsdlLocFile.getParentFile().getCanonicalPath();
+         SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider();
+         ServerConfig serverConfig = spiProvider.getSPI(ServerConfigFactory.class).getServerConfig();
+         String wsdlDataLoc = serverConfig.getServerDataDir().getCanonicalPath() + File.separatorChar + "wsdl";
+
+         //allow wsdl file's parent or server's data/wsdl or overriden wsdl publish directories only
+         if (impResourceFile.getCanonicalPath().indexOf(wsdlLocFilePath) >= 0
+             || impResourceFile.getCanonicalPath().indexOf(wsdlDataLoc) >= 0
+             || (wsdlPublishLoc != null 
+                  && impResourceFile.getCanonicalPath().indexOf(new File(new URL(wsdlPublishLoc).getPath()).getCanonicalPath()) >= 0))
+         {
+            Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
+            wsdlDoc = wsdlElement.getOwnerDocument();
+         }
+         else
+         {
+            throw new IOException("Access to this resource is not allowed");
+         }
       }
 
       modifyAddressReferences(reqURL, wsdlHost, resPath, wsdlDoc.getDocumentElement());