[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: Elliotte Rusty Harold on Web Services

posted data web services
Well, this has to be the REST doctrine reduced to its silliest extreme.
From a security standpoint, the second case is more securable than the
first. In the first case you have an actively listening process
receiving data from an external machine and the firewall has no way of
knowing what the listening process is going to do with the POSTed data.
In the second case, the firewall could use the additional metadata in
the message to implement some more intelligent rules-based security.
Now, from a security standpoint, that's pretty weak, but you certainly
can't argue that the first option is more secure.

> -----Original Message-----
> From: Mark Baker [mailto:distobj@a...]
> Sent: Friday, January 31, 2003 11:52 AM
> To: Rich Salz
> Cc: Cavnar-Johnson, John; xml-dev@l...
> Subject: Re:  Elliotte Rusty Harold on Web Services
> Hey Rich,
> On Fri, Jan 31, 2003 at 11:57:43AM -0500, Rich Salz wrote:
> > Oh, *that* piece.  Sometimes Bruce stretches to make his points, as
> >     That's right. Those pesky firewalls prevent applications from
> >     sending commands to each other, so SOAP lets vendors hide those
> >     commands as HTTP so the firewall won't notice.
> >
> > which is wrong.  SOAP over HTTP is architecturally no worse than
> > POST:  both are sending data and requesting that a server act upon
> Bruce is right.  There's an important difference.
> Consider these two examples;
> POST some-uri HTTP/1.0
> Content-Type: application/xml
> [blank line]
> <number>3<number>
> and
> POST some-uri HTTP/1.0
> Content-Type: application/xml
> [blank line]
> <add>
> <number>3<number>
> </add>
> In the former, the data that is sent is just data, not a request for
> action.  POST is the action.  If it were sent with HTTP PUT, it would
> mean something entirely different.
> In the latter, the meaning of POST is discarded and replaced with
> If it were sent with HTTP PUT, the expectation would be that the same
> thing would happen as if it were sent with POST.
> HTTP messages only need one method.
> And to Mike's question; I used to develop software in a Web-services
> like manner, with DCE/CORBA/RMI/etc..  Then I learned a better way.
> MB
> --
> Mark Baker.   Ottawa, Ontario, CANADA.        http://www.markbaker.ca
> Web architecture consulting, technical reports, evaluation & analysis
> -----------------------------------------------------------------
> The xml-dev list is sponsored by XML.org <http://www.xml.org>, an
> initiative of OASIS <http://www.oasis-open.org>
> The list archives are at http://lists.xml.org/archives/xml-dev/
> To subscribe or unsubscribe from this list use the subscription
> manager: <http://lists.xml.org/ob/adm.pl>


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.