Re: [soapbuilders] Re: XML Protocol: Proposals to address SOAPAction header

On Sat, 9 Jun 2001 19:48:54 -0500, in soap you wrote:

>hi guys,
>
>my issue is still exactly the same as it was 3 months ago.
>
>based on the current definition, the owner of a SOAP server
>cannot count on the SOAPAction having any particular meaning
>unless the owner was also the one that generated the WSDL.

its an identifier, its as useful or not as any other identifier, why
is SOAPAction useless, whilst having the method element namespace
qualified is not ?, both are URI's, both serve as identifiers of a
particular set of methods.

>this is fine in a closed, small system, such as frontier
>publishing WSDL for its own service and specifying which
>SOAPAction it wants, but seems to lose its value when WSDL
>is published by vendor X and then an implementation of the
>service is hosted on vendor Y's SOAP server.
>
>from my own perspective, if GLUE hosts a web service
>that implements a WSDL published by IBM and IBM decides to
>make the SOAPAction "FOOBAR", what can GLUE do this with
>value? can it filter based on it? i guess i could, if i
>manually program the HTTP server with all the various
>SOAPActions from different WSDLs that i want to filter.

as a SOAP processor, you follow the spec and ensure that the intent as
identified in the SOAPAction header matches the intent identified in
the actual payload. If you have a list of deployed services (perhaps a
directory full of WSDL files), then you know what SOAPActions are
valid and which aren't.
As i've said before, SOAPAction is much more useful for those devices
/ services that are not purely SOAP orientated.

>is that the intent - that the SOAPAction fields are
>manually entered into some kind of firewall software?

well, dispite what the IDS vendors might tell you, you normally have
to configure firewalls :)

Cheers
Simon

Received on Saturday, 9 June 2001 21:25:25 UTC