W3C home > Mailing lists > Public > xml-dist-app@w3.org > June 2001

RE: XML Protocol: Proposals to address SOAPAction header

From: Williams, Stuart <skw@hplb.hpl.hp.com>
Date: Mon, 11 Jun 2001 15:15:15 +0100
Message-ID: <5E13A1874524D411A876006008CD059F19247D@0-mail-1.hpl.hp.com>
To: "'christopher ferris'" <chris.ferris@east.sun.com>, Larry Masinter <LMM@acm.org>
Cc: Henrik Frystyk Nielsen <henrikn@microsoft.com>, Simon Fell <soap@zaks.demon.co.uk>, xml-dist-app@w3.org, xmlp-comments@w3.org
As a variation on a theme. In the case where a SOAP message passes through
multiple intermediaries, is the value carried in SOAPAction expected to be
the same for each leg of the path between original sender and ultimate
recipient or might it have to be different and if so, where does the value
come from?

Regards

Stuart

> -----Original Message-----
> From: christopher ferris [mailto:chris.ferris@east.sun.com]
> Sent: 11 June 2001 13:13
> To: Larry Masinter
> Cc: Henrik Frystyk Nielsen; Simon Fell; xml-dist-app@w3.org;
> xmlp-comments@w3.org
> Subject: Re: XML Protocol: Proposals to address SOAPAction header
> 
> 
> I echo Larry's concerns regarding this revised proposal.
> It does little to improve the situation and still does not
> address how SOAPAction is communicated across different 
> transport protocols. If a SOAP message starts out being
> communicated over the Frobnaz transport protocol, which does
> NOT have a SOAPAction header (or even a place to put one)
> and the message is being sent via a Frobnaz->HTTP gateway,
> where does the gateway get the appropriate SOAPAction
> to put in the HTTP headers when it forwards the message
> to the ultimate destination?
> 
> Cheers,
> 
> Chris
> 	
> 
> Larry Masinter wrote:
> > 
> > > - I would be interested in hearing what you think about that
> > >
> > >   
> http://lists.w3.org/Archives/Public/xml-dist-app/2001May/0053.html
> > >
> > 
> > I don't see how this has fixed the problem, though:
> > 
> > # The presence and content of the SOAPAction header field 
> MAY be used by
> > # servers such as firewalls to appropriately filter SOAP 
> HTTP request
> > # messages and it may be used by servers to facilitate 
> dispatching of SOAP
> > # messages to internal message handlers etc. It SHOULD NOT 
> be used as an
> > # insecure form of access authorization.
> > 
> > * Exactly how is it that a firewall might use a SOAPAction header
> >  to "appropriately" filter SOAP HTTP request messages?
> >  As far as I can tell, there's not enough information to decide
> >  which requests with which SOAP action headers the firewall should
> >  accept, and which it should reject, or even what a firewall that
> >  rejects such a message should signal its rejection. Treat it as
> >  an attack? The main purpose of firewall filtering is to prevent
> >  unwanted or malicious traffic, but there's no reason to 
> believe that
> >  malicious SOAP messages would contain a correct SOAPAction header.
> >  So I don't think the first application "appropriate filter SOAP
> >  HTTP request methods" has been reasonably justified, at least in
> >  this fragment of text.
> > 
> > * The second application for SOAPAction headers given is that
> >   it "may be used by servers to facilitate dispatching", but
> >   the only way that a server might use a SOAPAction header would
> >   be if there were some specification of which kind of SOAPAction
> >   headers should be dispatched and which should not, and where
> >   they should be dispatched. Is the SOAPAction header like another
> >   kind of RequestURI?
> > 
> > So I think this attempted clarification does nothing
> > to respond to the criticism that the value of the SOAPAction
> > header is not specified well enough for it to be used for
> > its stated purposes.
> > 
> > Larry
> > --
> > http://larry.masinter.net
> 
Received on Monday, 11 June 2001 10:18:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:01 GMT