Posted by
Hemos
on from the programming-with-dial dept.
Irish writes "This IBM developerWorks article discusses the theoretical underpinnings of SOAP's type system. Its a good article for anyone who wants to learn more about SOAP's programmatic support or to simply better understand Apache's SOAP."
Bruce Schneier has said:
by
Gis_Sat_Hack
·
· Score: 5, Interesting
Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: "Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall." It is exactly this feature-above-security mindset that needs to go. It may be that SOAP offers sufficient security mechanisms, proper separation of code and data. However, Microsoft promotes it for its security avoidance.
Redundant Post xml-rpc is by far better
by
codepunk
·
· Score: 4, Interesting
SOAP is nothing more than a poorly designed and implemented version of xml-rpc. Try getting two soap services talking together one time. Interop does not exist in the SOAP world. Take a look at xml-rpc for some lib's that work (without the hype).
Let's see 2 page spec vs 200, come on people wake up!
--
Got Code?
Re:Bruce Schneier has said:
by
steve_l
·
· Score: 2, Interesting
maybe he is being prescient.
A fair bit of stuff in soap land (ws-routing, now the MS GXA stuff) is about soap messages sent using some store and forward mechanism, routing it to the final destination without the sender knowing the actuall endpoint.
One stated objective for this is to allow asynchronous replies/callbacks/events, which means that you will have to allow these messages back through the firewall.
If this is done using SMTP or an IM protocol, we are in trouble as there is not enough validation by the firewall (esp. with IM), but for any of this stuff, it all boils down to 'do you trust MS and Sun (and Apache) to write code that is secure out the box', and 'do you trust the people who write SOAP based apps to not make things worse. I have more faith on apache than the other two infrastructure providers, even though Apache Axis has its own security issued (filed one on bugzilla last week). As a web service developer, I dont even trust my own code to be secure
Slashdot Mirror
Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: "Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall." It is exactly this feature-above-security mindset that needs to go. It may be that SOAP offers sufficient security mechanisms, proper separation of code and data. However, Microsoft promotes it for its security avoidance.
- 0202.html
source:
http://www.counterpane.com/crypto-gram
SOAP is nothing more than a poorly designed and implemented version of xml-rpc. Try getting two soap services talking together one time. Interop does not exist in the SOAP world. Take a look at xml-rpc for some lib's that work (without the hype).
Let's see 2 page spec vs 200, come on people wake up!
Got Code?
maybe he is being prescient.
A fair bit of stuff in soap land (ws-routing, now the MS GXA stuff) is about soap messages sent using some store and forward mechanism, routing it to the final destination without the sender knowing the actuall endpoint.
One stated objective for this is to allow asynchronous replies/callbacks/events, which means that you will have to allow these messages back through the firewall.
If this is done using SMTP or an IM protocol, we are in trouble as there is not enough validation by the firewall (esp. with IM), but for any of this stuff, it all boils down to 'do you trust MS and Sun (and Apache) to write code that is secure out the box', and 'do you trust the people who write SOAP based apps to not make things worse. I have more faith on apache than the other two infrastructure providers, even though Apache Axis has its own security issued (filed one on bugzilla last week). As a web service developer, I dont even trust my own code to be secure