Re: Asynch request/response HTTP binding needed from Prasad Yendluri on 2004-02-04 (www-ws-desc@w3.org from February 2004)

From: Prasad Yendluri <pyendluri@webmethods.com>
Date: Wed, 04 Feb 2004 12:43:11 -0800
To: 'Web Services Description' <www-ws-desc@w3.org>
Message-ID: <4021595F.2030806@webmethods.com>

I am always get concerned about the designs that involve a requestor 
asking the response be sent somewhere else other than the place it 
originated from, as in

>1. node A makes an HTTP POST to node B with a SOAP Request and
>    information on where to POST the HTTP response to

This is prone to misdirecting traffic at a node other than the intended 
one either unintentionally (in error) or maliciously and could easily 
play into DoS (Denial of Service) type scenarios. 

Not sure if WS-Addressing accounts for this aspect..

Prasad

-------- Original Message --------
Subject: 	RE: Asynch request/response HTTP binding needed
Resent-Date: 	Sat, 31 Jan 2004 01:44:02 -0500 (EST)
Resent-From: 	www-ws-desc@w3.org
Date: 	Fri, 30 Jan 2004 22:43:56 -0800
From: 	David Orchard <dorchard@bea.com>
To: 	'Sanjiva Weerawarana' <sanjiva@watson.ibm.com>, 'Martin Gudgin' 
<mgudgin@microsoft.com>, 'Philippe Le Hegaret' <plh@w3.org>
CC: 	'Web Services Description' <www-ws-desc@w3.org>


yup.  I agree.  The issue about the callback address is related but can be
orthogonal to the binding.

Dave

> -----Original Message-----
> From: Sanjiva Weerawarana [mailto:sanjiva@watson.ibm.com]
> Sent: Friday, January 30, 2004 4:46 PM
> To: Martin Gudgin; Philippe Le Hegaret; David Orchard
> Cc: Web Services Description
> Subject: Re: Asynch request/response HTTP binding needed
>
>
> "Martin Gudgin" <mgudgin@microsoft.com> writes:
> > PAOS is slightly different. It has two MEPs, the one I think you are
> > thinking of works as follows:
> >
> > Given nodes A and B:
> >
> > 1. node A makes an HTTP GET to node B.
> > 2. Node B sends a SOAP Request as the HTTP response.
> > 3. Node A responds with a SOAP response in an HTTP POST to Node B.
> > 4. Node B responds with some HTTP response ( typically a web page )
> >
> > Gudge
>
> I understood what DaveO wanted as:
>
> 1. node A makes an HTTP POST to node B with a SOAP Request and
>    information on where to POST the HTTP response to
> 2. node B responds with something like 201 OK
> 3. later on, node B makes an HTTP POST to node A with a SOAP Response
> 4. node A responds with something like 201 OK
>
> DaveO??
>
> I like this a lot but unfortunately one needs WS-Addressing
> or something
> similar to send the "information on where to POST the HTTP
> response to".
>
> Sanjiva.
>

Received on Wednesday, 4 February 2004 15:43:32 UTC