W3C home > Mailing lists > Public > xml-dist-app@w3.org > April 2001

Re: [i95, i22] - Proposal for clarifying use of SOAPAction

From: Marc Hadley <marc.hadley@sun.com>
Date: Thu, 26 Apr 2001 12:19:27 +0100
Message-ID: <3AE8043F.345C3E46@sun.com>
To: frystyk@microsoft.com
CC: xml-dist-app@w3.org, soapbuilders@yahoogroups.com
The proposed text doesn't address i22, i.e. what to do if you get a HTTP
request with a SOAPAction header but no SOAP envelope in the body. I'd
also like to propose a couple of minor edits, see below

Henrik Frystyk Nielsen wrote:
> 
> The presence of the SOAPAction HTTP request header field indicates that
> this is a SOAP HTTP request. The value of the SOAPAction header field is
> used to indicate the overall intent of the SOAP HTTP request with the
> purpose of providing the recipient with a hint about what the SOAP
> message contains:
> 
This still sounds a little vague, how about the following instead:

"The presence of a SOAPAction header in a HTTP POST request indicates
that the entity-body of the request is a SOAP message. The value of the
SOAPAction header field is used to indicate the intent or logical target
of the request in a manner readily accessible to the HTTP server."


>         soapaction    = "SOAPAction" ":" [ <"> URI-reference <"> ]
>         URI-reference = <as defined in RFC 2396 [4]>
> 
> An HTTP client MUST use this header field when issuing a SOAP HTTP
> Request. An HTTP server MUST NOT process an HTTP request as a SOAP HTTP
> request if it does not contain a SOAPAction header field.
> 
> If a SOAP HTTP request is required but no SOAPAction header field is
> present then the server SHOULD use a 425 (SOAPAction Required) status
> code (*).
> 
How about the following instead:

"If a HTTP endpoint that only supports SOAP HTTP requests receives a
request without a SOAPAction header then the server SHOULD return a HTTP
425 (SOAPAction Required) status code to the client."

To address i22 how about adding the following paragraph:

"If a HTTP request contains a SOAPAction header but the HTTP entity body
is empty or contains a malformed SOAP message then the server SHOULD
return a HTTP 400 (Bad Request) status code to the client."

Alternatively we might want to use a new more specific status code (426
- Bad SOAP Message) ?

> The value of the SOAPAction header field is a URI-reference as defined
> by RFC 2396. The URI can be either absolute or relative. If the
> SOAPAction URI is a relative URI, it is interpreted relative to the
> Request-URI. The relative URI "" (empty string) indicates that the
> SOAPAction URI is the same as the Request-URI. An empty value (without
> quotes) means that there is no indication of the intent of the message.
> 
> SOAP places no restrictions on the specificity of the URI or that it is
> resolvable. However, it is STRONGLY RECOMMENDED that the URI be globally
> unique and stable over time.
> 
> Often the value of the SOAPAction header field is related to the
> contents of the SOAP Body element but there is no mechanism for
> automatically computing the value based on the SOAP Body element.
> 
> The presence and content of the SOAPAction header field MAY be used by
> servers such as firewalls to appropriately filter SOAP HTTP request
> messages. It SHOULD NOT be used as an insecure form for access
> authentication.
> 
Should the last sentence read "It SHOULD NOT be used as an insecure form
of access authorisation." ?
i.e. replace "for" with "of" and "authentication" with "authorisation".

> * * * * *
> 
> *) We have to check that 425 is free (it is intended as a new status
> code). The reason for using a new status code is that there is currently
> no mechanism for indicating that SOAP HTTP requests are expected and not
> just POST of any old data (including SOAP messages without SOAPAction
> header field). There are no existing status codes that cover this case
> and SOAP/1.1 is silent on the issue.
> 
> Comments?
> 
> Henrik
> 
> [1] http://www.w3.org/2000/xp/Group/xmlp-issues#x95
> [2] http://www.w3.org/2000/xp/Group/xmlp-issues#x22

Comments ?

Marc.

--
Marc Hadley <marc.hadley@sun.com>
Tel: +44 1252 423740
Int: x23740
Received on Thursday, 26 April 2001 07:19:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:00 GMT