xml-dev - Re: [xml-dev] SOAP-RPC and REST and security

Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] SOAP-RPC and REST and security
From: Gavin Thomas Nicol <gtn@rbii.com>
Date: Tue, 19 Feb 2002 23:49:52 -0500
In-reply-to: <JISRSOOTTOIH1UTQC8TNJFVSSPHCF.3c7316a4@MChamp>
Organization: Red Bridge Interactive, Inc.
References: <JISRSOOTTOIH1UTQC8TNJFVSSPHCF.3c7316a4@MChamp>

On Tuesday 19 February 2002 10:23 pm, Mike Champion wrote:
> So, what's the current thinking about SOAP-RPC as a security risk in
> *plausible* scenarios where business services are exposed via SOAP? 
> And is it generally accepted that a REST-ful worm couldn't happen,
> or is this wishful thinking on my part?  I guess if you give me PUT
> access I could send you a virus that did all sorts of harm, but I'd
> still have to sucker you into running it ... with RPC, a mechanism
> exists for the remote user to execute code directly.

Given that most initial RESTful applications will use HTTP, I can't 
see how they'd be intrinsically any safer than SOAP over HTTP. 

FWIW. One of the basics of security is the notion of "least privilege" 
which web services (indeed the web in general) almost explicitly goes 
against because of the global namespaces.

Follow-Ups:
- Re: [xml-dev] SOAP-RPC and REST and security
  - From: Paul Prescod <paul@prescod.net>

References:
- SOAP-RPC and REST and security
  - From: Mike Champion <mc@xegesis.org>

Prev by Date: SOAP-RPC and REST and security
Next by Date: Re: [xml-dev] SOAP-RPC and REST and security
Previous by thread: SOAP-RPC and REST and security
Next by thread: Re: [xml-dev] SOAP-RPC and REST and security
Index(es):
- Date
- Thread