Re: What Does SOAP/WS Do that A REST System Can't?

To: Joe Gregorio <joe.gregorio@g...>
Subject: Re: What Does SOAP/WS Do that A REST System Can't?
From: Rich Salz <rsalz@d...>
Date: Thu, 14 Apr 2005 09:48:33 -0400 (EDT)
Cc: "xml-dev@l..." <xml-dev@l...>
In-reply-to: <3f1451f5050414060544a73a84@m...>

Play the video

> 'Shared state' seems more like a derived requirement from your
> authentication mechanism choice and its implementation.

I'm not sure what you mean by a derived requirement.  I don't want
to create my own security mechanism, that's considered real bad
practice.  I want to use existing mechanisms.  So my requirement
(for our purposes here) is like "I want to do something very much like
SSL"  So is shared state therefore derived?

> You need shared state. Shared state that doesn't
> get communicated. Shared state that doesn't
> get communicated over HTTP. And you claim that the
> 'statelessness' of HTTP is a problem.

Sorry, I was too terse.  We need to communicate some shared state
so that we can derive common keys.  Or we need something like a
running digest of all messages we've exchanged in this "conversation."

> To narrow the conversation,
> I'll go read WS-SecureConversation.

Good.  That should do a much better job than I can.

>  Are there more detailed
> reasons as to why every client operation
> ends up being a POST?

Because GET doesn't have a message body?  Because I need a message
body because I don't know of any way to get a few K (of binary
data; add 4/3 if doing base64) to the server without putting
it in the message body, and because it's *not* idempotent; replays
are something we're trying to avoid.

> Even if every operation is a POST, I believe there would be a
> benefit from leveraging the extensible authentication mechanism
> outlined in RFC 2617. The most obvious one of which is that it can
> be applied to resources who representations aren't just
> 'application/soap+xml', i.e. HTML, images, etc.

I agree it would be a good thing if it could be done.  I'm fairly
confident it can't be.  I'm sure you're tired of hearing me say
that.  Hopefully we're getting closer to an understanding of why.

        /r$

-- 
Rich Salz                  Chief Security Architect
DataPower Technology       http://www.datapower.com
XS40 XML Security Gateway  http://www.datapower.com/products/xs40.html

References:
- Re: What Does SOAP/WS Do that A REST System Can't?
  - From: Joe Gregorio <joe.gregorio@g...>

Prev by Date: Re: What Does SOAP/WS Do that A REST System Can't?
Next by Date: Re: What Does SOAP/WS Do that A REST System Can't?
Previous by thread: Re: What Does SOAP/WS Do that A REST System Can't?
Next by thread: Re: What Does SOAP/WS Do that A REST System Can't?
Index(es):
- Date
- Thread

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Subscribe in XML format

RSS 2.0
Atom 0.3

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.

Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

XML Editor - Download a 15 Day Free Trial Now >

See What's New in Stylus Studio >

Buy Stylus Studio - XML Editor - Now >