- From: Marc Hadley <marc.hadley@sun.com>
- Date: Thu, 26 Apr 2001 12:19:27 +0100
- To: frystyk@microsoft.com
- CC: xml-dist-app@w3.org, soapbuilders@yahoogroups.com
The proposed text doesn't address i22, i.e. what to do if you get a HTTP request with a SOAPAction header but no SOAP envelope in the body. I'd also like to propose a couple of minor edits, see below Henrik Frystyk Nielsen wrote: > > The presence of the SOAPAction HTTP request header field indicates that > this is a SOAP HTTP request. The value of the SOAPAction header field is > used to indicate the overall intent of the SOAP HTTP request with the > purpose of providing the recipient with a hint about what the SOAP > message contains: > This still sounds a little vague, how about the following instead: "The presence of a SOAPAction header in a HTTP POST request indicates that the entity-body of the request is a SOAP message. The value of the SOAPAction header field is used to indicate the intent or logical target of the request in a manner readily accessible to the HTTP server." > soapaction = "SOAPAction" ":" [ <"> URI-reference <"> ] > URI-reference = <as defined in RFC 2396 [4]> > > An HTTP client MUST use this header field when issuing a SOAP HTTP > Request. An HTTP server MUST NOT process an HTTP request as a SOAP HTTP > request if it does not contain a SOAPAction header field. > > If a SOAP HTTP request is required but no SOAPAction header field is > present then the server SHOULD use a 425 (SOAPAction Required) status > code (*). > How about the following instead: "If a HTTP endpoint that only supports SOAP HTTP requests receives a request without a SOAPAction header then the server SHOULD return a HTTP 425 (SOAPAction Required) status code to the client." To address i22 how about adding the following paragraph: "If a HTTP request contains a SOAPAction header but the HTTP entity body is empty or contains a malformed SOAP message then the server SHOULD return a HTTP 400 (Bad Request) status code to the client." Alternatively we might want to use a new more specific status code (426 - Bad SOAP Message) ? > The value of the SOAPAction header field is a URI-reference as defined > by RFC 2396. The URI can be either absolute or relative. If the > SOAPAction URI is a relative URI, it is interpreted relative to the > Request-URI. The relative URI "" (empty string) indicates that the > SOAPAction URI is the same as the Request-URI. An empty value (without > quotes) means that there is no indication of the intent of the message. > > SOAP places no restrictions on the specificity of the URI or that it is > resolvable. However, it is STRONGLY RECOMMENDED that the URI be globally > unique and stable over time. > > Often the value of the SOAPAction header field is related to the > contents of the SOAP Body element but there is no mechanism for > automatically computing the value based on the SOAP Body element. > > The presence and content of the SOAPAction header field MAY be used by > servers such as firewalls to appropriately filter SOAP HTTP request > messages. It SHOULD NOT be used as an insecure form for access > authentication. > Should the last sentence read "It SHOULD NOT be used as an insecure form of access authorisation." ? i.e. replace "for" with "of" and "authentication" with "authorisation". > * * * * * > > *) We have to check that 425 is free (it is intended as a new status > code). The reason for using a new status code is that there is currently > no mechanism for indicating that SOAP HTTP requests are expected and not > just POST of any old data (including SOAP messages without SOAPAction > header field). There are no existing status codes that cover this case > and SOAP/1.1 is silent on the issue. > > Comments? > > Henrik > > [1] http://www.w3.org/2000/xp/Group/xmlp-issues#x95 > [2] http://www.w3.org/2000/xp/Group/xmlp-issues#x22 Comments ? Marc. -- Marc Hadley <marc.hadley@sun.com> Tel: +44 1252 423740 Int: x23740
Received on Thursday, 26 April 2001 07:19:03 UTC