Lists Home |
Date Index |
Rich Salz wrote:
>> So each message, no matter the size, should be parsed to determine
>> authorization, authentication and validity? As opposed to
>> stopping/redirecting a request based on the URL/request-credentials
>> before a parse happens?
> Should be? Even I'd be reluctant to use something other than "may."
> If your gateway facility is fast enough to handle the traffic, than you
> can get significant performance gains by offloading stuff like you
> mention from your application servers. A J2EE server is not usually the
> most performant place to do a WS-Security signature validation.
> There are security benefits, too. Put the router into your DMZ and you
> prevent bad messages from even getting onto your network. Pass all XML
> traffic through it and you have a guaranteed policy enforcement point.
OK, I can see what you are saying. Is there some facility to
deny/turn-off processing for a type of DoS attack? Say something is
sending you several complex, large messages - what happens to the gateway?
> But definitely, not everyone needs or wants to do this. It's all about
> engineering trade-offs.