Slashdot Mirror
SOAP Security Problems
LarryWest42 writes: "This article lists a number of sobering security problems with SOAP (not only the avoidable one of tunneling through HTTP). I found it thanks to Bruce Schneier's latest Crypto-Gram newsletter."
← Back to Stories (view on slashdot.org)
Everyone who even pretends to be able to knock up websites, hack PHP and CGI scripts etc should be familar with REST; it's one of the core concepts behind the web.
The REST Wiki is a good place to start.
Besides security, we quit using Soap for our web services and use our own custom libs which we provide to clients because the performance is horrendous. When you're providing a web service API to thousands of clients, that becoms an issue quite quickly. Sure XML is platform neutral/agnostic, but is the parsing performance hit you take really worth it?
~mark
It seems the author is trying to proffer REST, a putatively alternative approach to the use of the existing web infrastructure as little more than a transport for messages to be interpreted by the endpoints, like SOAP does, and I think that is the motivation for the FUD article mentioned in this slashdot story. To me that article does not seem to say much besides that the existing web architecture cannot be used to satisfy the additional security demands created by application level web services interaction protocols like SOAP. I do not see that as a "SOAP security problem".
Except that SOAPAction hasn't actually been deprecated. At least according to the spec. Which I'm sure you read from start to finish.
-- Brian
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.