[
Lists Home |
Date Index |
Thread Index
]
> If one uses XML for serializing objects and nothing else, then things
> get easier. But developing real systems would get easier if there was a
> way of developing them so that validity (well-typedness) is checked
> statically.
Sure, as long as (a) everyone is using the same object system, and (b)
you're not worried about an adversary sending data that will cause your
object-creation code to create bad/dangerous/evil objects; and (c) you are
not worried about your objects leaking internal information, or (c') you
take steps to prevent this, such as by having internal and external/proxy
objects.
That's a pretty powerful set of concerns, I think, and I wouldn't
particularly call any of them easy.
If you treat XML as the data, and not as an objevct serialization format,
then (a) you get to use the new cool SOA buzzword; and (b) you tend to
build safer systems.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
