OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] SOAP-RPC and REST and security

[ Lists Home | Date Index | Thread Index ]

Dare Obasanjo wrote:
> 
> Like I said, your point is lost on me. A SOAP request is typically an
> HTTP POST with XML in the body of request. Many web applications use
> HTTP POST as a means of submitting form data instead of putting it in
> GET request URLs. 

Web applications are *supposed to* use HTTP POST to submit form data.

> ... However until this fairly absurd tangent on XML-DEV I
> have NEVER heard anyone say that if suddenly we convert all web
> forms/applications to use HTTP GET instead of HTTP POST, web
> applications would suddenly be more secure.

GETs versus POSTs are not the issue. The issue is how descriptive the
URI. For instance, that is what goes in the logfile because that's what
a REST user would consider the equivalent of checking for port scanning
etc. It's also the granularity of control.

SOAP can never provide an equivalent of the Combined Log File format
because it doesn't know what part of the message is most relevant. It
could be the last element. You'd have to log every single message and
use sophisticated XML query techniques to try to figure out which
messages manipulate which logical resources.

REST can easily block off parts of a service to particular users. SOAP
doesn't even have a notion of "parts of a service." Like everything
else, you the application developer have to invent it for yourself in
SOAP.

> I expect that the people who are making the REST is more secure argument
> are primarily trying to promote an agenda instead of thinking critically
> about their statements which is rather unfortunate.

Yeah, I've got Bruce Schneier in my back pocket as a REST advocate.

 Paul Prescod




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS