[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: What Does SOAP/WS Do that A REST System Can't?

ssl authentication rest soap
> You have mentioned this before, but is there anything 
> which stops you from using TLS/SSL on all the hops
> *after* the firewall?

No, but you lose the ability to authenticate the original client with 
SSL client certs. It also requires the server to have complete trust in 
the operation and bug-free-ness of any intermediate SSL hops.  In 
essence, you have to trust the SSL intermediary as much as you trust the 
server itself.  But if you do that, then why is it in the DMZ? :)

> That first GET is for the hypertext that contains the POE link, correct.

So the first part of using POE to make HTTP reliable is to double the 
number of HTTP interactions.  And then, of course, you have the issue of 
the unreliability of the initial GET.  I'm not saying that to be cute, 
but if the GET-POE-link fails, the server could possible have "stranded" 
URL's waiting for the client to GET the POST response.  (Er, that 
wording's a bit muddled, but I hope you see what I mean.)

> What I don't understand is the underlying assumption that 
> Basic and Digest are the end of the line for HTTP authentication.

Probably because there's been effectively no work done in the past 
decade.  The two mechanisms you mention -- WS-Security UserName profile, 
and Atom authentication -- are the same thing as Digest or BasicAuth in 
that they require a shared secret between the client and server.  (And 
is it really true that the second mechanism only exists because of a 
mis-feature in Apache CGI?)

User-chosen passwords are notoriously easy to guess.  The WS-Security 
UserName profile puts the password at the end of the digest, meaning an 
attacker can pre-compute the first part of the SHA based solely on the 
plaintext.  It's done that way on purpose, but understand the 
trade-offs.  It's also unfortunate that Atom WSSE didn't include any of 
the countermeasures described in the standard.  (See lines 132-154 of 
the standard.)

Like Digest and BasicAuth, the two you mentioned require both parties to 
use that shared secret on every interaction.  It's just like having to 
type your password into the shell after every command.


Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html


Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
First Name
Last Name
Subscribe in XML format
RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.