OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

On Tuesday 19 February 2002 10:23 pm, Mike Champion wrote:
> So, what's the current thinking about SOAP-RPC as a security risk in
> *plausible* scenarios where business services are exposed via SOAP? 
> And is it generally accepted that a REST-ful worm couldn't happen,
> or is this wishful thinking on my part?  I guess if you give me PUT
> access I could send you a virus that did all sorts of harm, but I'd
> still have to sucker you into running it ... with RPC, a mechanism
> exists for the remote user to execute code directly.

Given that most initial RESTful applications will use HTTP, I can't 
see how they'd be intrinsically any safer than SOAP over HTTP. 

FWIW. One of the basics of security is the notion of "least privilege" 
which web services (indeed the web in general) almost explicitly goes 
against because of the global namespaces. 


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS