W3C home > Mailing lists > Public > xml-dist-app@w3.org > January 2006

Re: Action Item - Part I: WSRX and MEP signaling on the wire (clarification)

From: John Kemp <john.kemp@nokia.com>
Date: Thu, 12 Jan 2006 20:03:28 -0500
Message-Id: <A76C4A1A-9816-40C7-9281-C83D77BA0B92@nokia.com>
Cc: David Hull <dmh@tibco.com>, xml-dist-app@w3.org
To: "ext Mark Baker" <distobj@acm.org>

On Jan 12, 2006, at 5:28 PM, ext Mark Baker wrote:

>
> On 1/11/06, David Hull <dmh@tibco.com> wrote:
>>> still impact HTTP intermediaries, in particular in this case,
>>> firewalls, which require knowing what's a request and what's a
>>> response to do their job properly. Consider that if SOAP requests
>>> could arrive as HTTP responses (PAOS anyone?), that this would be a
>>> serious security problem.
>>
>>  At the risk of sounding repetitious, what do you see as the  
>> security (or
>> other) problem?
>
> Well, the job of the firewall is to restrict access to services
> situated behind it, which it does by, amoungst other things, limiting
> the kinds of requests that can be made of these services.  In order to
> be able to do that, it has to be able to identify all messages which
> are requests.  Now, if a request is tunneled through a response, then
> it will not see it, thereby enabling that request to bypass the access
> restrictions that the firewall is applying (or trying to).

Firewalls certainly come in different varieties, and some will be  
smarter than others. But as something to which a SOAP message has  
been dispatched (whether it's a SOAP request or a SOAP response) why  
is it any more of a security risk to be dispatched a (SOAP) request  
message that was in response to an (HTTP) message I sent than it is  
to get a SOAP response to a SOAP request I sent? From a course- 
grained firewall (one that doesn't inspect the contents of the HTTP  
response I guess) perspective, the HTTP response is still related to  
the request that was sent, and the HTTP response is sent back to the  
agent that initiated the HTTP request -- in both cases.

Speaking only to the PAOS question, I would note that the user agent  
receiving the HTTP response here will have explicitly advertised the  
service it offers specifically to the HTTP server with which it is  
interacting (via the PAOS HTTP header, during the HTTP request),  
making this more secure in some respects than the reception of an  
unsolicited SOAP request, which was not initiated by some action at  
the associated user agent (such as the user explicitly requesting  
some URL).

Cheers,

- JohnK
Received on Friday, 13 January 2006 01:04:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:59:21 GMT