[
Lists Home |
Date Index |
Thread Index
]
Well, this has to be the REST doctrine reduced to its silliest extreme.
From a security standpoint, the second case is more securable than the
first. In the first case you have an actively listening process
receiving data from an external machine and the firewall has no way of
knowing what the listening process is going to do with the POSTed data.
In the second case, the firewall could use the additional metadata in
the message to implement some more intelligent rules-based security.
Now, from a security standpoint, that's pretty weak, but you certainly
can't argue that the first option is more secure.
> -----Original Message-----
> From: Mark Baker [mailto:distobj@acm.org]
> Sent: Friday, January 31, 2003 11:52 AM
> To: Rich Salz
> Cc: Cavnar-Johnson, John; xml-dev@lists.xml.org
> Subject: Re: [xml-dev] Elliotte Rusty Harold on Web Services
>
> Hey Rich,
>
> On Fri, Jan 31, 2003 at 11:57:43AM -0500, Rich Salz wrote:
> > Oh, *that* piece. Sometimes Bruce stretches to make his points, as
in:
> > That's right. Those pesky firewalls prevent applications from
> > sending commands to each other, so SOAP lets vendors hide those
> > commands as HTTP so the firewall won't notice.
> >
> > which is wrong. SOAP over HTTP is architecturally no worse than
HTTP
> > POST: both are sending data and requesting that a server act upon
it.
>
> Bruce is right. There's an important difference.
>
> Consider these two examples;
>
> POST some-uri HTTP/1.0
> Content-Type: application/xml
> [blank line]
> <number>3<number>
>
> and
>
> POST some-uri HTTP/1.0
> Content-Type: application/xml
> [blank line]
> <add>
> <number>3<number>
> </add>
>
> In the former, the data that is sent is just data, not a request for
> action. POST is the action. If it were sent with HTTP PUT, it would
> mean something entirely different.
>
> In the latter, the meaning of POST is discarded and replaced with
"add".
> If it were sent with HTTP PUT, the expectation would be that the same
> thing would happen as if it were sent with POST.
>
> HTTP messages only need one method.
>
> And to Mike's question; I used to develop software in a Web-services
> like manner, with DCE/CORBA/RMI/etc.. Then I learned a better way.
>
> MB
> --
> Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca
> Web architecture consulting, technical reports, evaluation & analysis
>
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
>
> The list archives are at http://lists.xml.org/archives/xml-dev/
>
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>
|