[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: SOAP-RPC and REST and security
Joshua Allen wrote: > >... > > Like when I create a PPTP tunnel over the Internet to dial in to my corporate account? We're talking about application protocols. They have semantics. >... > I will boil your long argument down to this: you claim that HTTP in > a REST model is secure, Security is not a boolean property. Architectures and standards promote or hurt the likelihood of secure implementations. > ... because an admin can trust that a GET does not modify > resources, and he can control access to other more > "dangerous" verbs. It isn't one thing. Idempotent GET is just an example. It is in general about making the message's meaning known to the firewall explicitly by: a) choosing a unique port b) having a consistent, simple structure c) having well-defined semantics d) having a transparent addressing model SOAP scores poorly on all of these criteria. It flouts all Internet protocol labeling conventions. Does that mean that SOAP is "insecure?" No. Does it mean that SOAP will exact a higher price in terms of break-ins and product prices than it otherwise would. I think so. Time will tell. Paul Prescod
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|