Web Services - More Secure or Less?

visibleman asks: "I have recently moved onto a project which is based around web services and SOAP and have, therefore, been doing some reading on those subjects. One thing which keeps coming up is that web services are claimed to be more secure than CORBA and RMI because it means drilling less holes through firewalls. If I was a firewall administrator (I am not, I am a developer) I would want to know that if I open up a port (port 80 for instance) I know what kind of requests are coming through it. Since SOAP is essentially a mechanism for sending functional requests over a port specified for web page requests this would make me nervous. My preference would be that requests for web pages go over one port and requests to run services go over another - favouring an IIOP solution. Am I off my trolley or would other Slashdotters have similar fears?"

jesus christ

SOAP is essentially a mechanism for sending functional requests over a port specified for web page requests this would make me nervous.

No, it's not insecure. It's just that you're an idiot. Go fuck yourself./P.

SOAP is definitly more secure and more managable

[tarun]

As other people have pointed out, CGI scripts etc are probably more inherently secure compared to SOAP. With SOAP, one can look at a particular HTTP header to find out which service or method is being called and weather user has permissions to access it (one such opens source Apache module that does this is available here. This will alow you to selectively open SOAP services on per-user (or per-group) basis where users are authenticated by specifying a password or XML Signature.

From adminstration point of view, it is definitly far more convinient to watch just one port even when you are not a lazy administrator and watch, log and manually scan each suspicious packet going inside your network. and that is why SOAP is plus-plus. I do not see how just using IIOP instead of HTTP increases the security.