RE: Elliotte Rusty Harold on Web Services
Well, this has to be the REST doctrine reduced to its silliest extreme. From a security standpoint, the second case is more securable than the first. In the first case you have an actively listening process receiving data from an external machine and the firewall has no way of knowing what the listening process is going to do with the POSTed data. In the second case, the firewall could use the additional metadata in the message to implement some more intelligent rules-based security. Now, from a security standpoint, that's pretty weak, but you certainly can't argue that the first option is more secure. > -----Original Message----- > From: Mark Baker [mailto:distobj@a...] > Sent: Friday, January 31, 2003 11:52 AM > To: Rich Salz > Cc: Cavnar-Johnson, John; xml-dev@l... > Subject: Re: Elliotte Rusty Harold on Web Services > > Hey Rich, > > On Fri, Jan 31, 2003 at 11:57:43AM -0500, Rich Salz wrote: > > Oh, *that* piece. Sometimes Bruce stretches to make his points, as in: > > That's right. Those pesky firewalls prevent applications from > > sending commands to each other, so SOAP lets vendors hide those > > commands as HTTP so the firewall won't notice. > > > > which is wrong. SOAP over HTTP is architecturally no worse than HTTP > > POST: both are sending data and requesting that a server act upon it. > > Bruce is right. There's an important difference. > > Consider these two examples; > > POST some-uri HTTP/1.0 > Content-Type: application/xml > [blank line] > <number>3<number> > > and > > POST some-uri HTTP/1.0 > Content-Type: application/xml > [blank line] > <add> > <number>3<number> > </add> > > In the former, the data that is sent is just data, not a request for > action. POST is the action. If it were sent with HTTP PUT, it would > mean something entirely different. > > In the latter, the meaning of POST is discarded and replaced with "add". > If it were sent with HTTP PUT, the expectation would be that the same > thing would happen as if it were sent with POST. > > HTTP messages only need one method. > > And to Mike's question; I used to develop software in a Web-services > like manner, with DCE/CORBA/RMI/etc.. Then I learned a better way. > > MB > -- > Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca > Web architecture consulting, technical reports, evaluation & analysis > > ----------------------------------------------------------------- > The xml-dev list is sponsored by XML.org <http://www.xml.org>, an > initiative of OASIS <http://www.oasis-open.org> > > The list archives are at http://lists.xml.org/archives/xml-dev/ > > To subscribe or unsubscribe from this list use the subscription > manager: <http://lists.xml.org/ob/adm.pl>
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format