- From: <paul.downey@bt.com>
- Date: Thu, 5 Feb 2004 09:42:14 -0000
- To: <pyendluri@webmethods.com>, <www-ws-desc@w3.org>
Prasad Whilst I agree that guarding against Dos is a design consideration, it's not a reason to ignore this useful pattern. it's common practice in async scenarios for the responder to have authenticated the requestor and to only send the response to one or more of a set of know endpoints. This is analogous to how mailing lists work. Paul -----Original Message----- From: www-ws-desc-request@w3.org on behalf of Prasad Yendluri Sent: Wed 04/02/2004 20:43 To: 'Web Services Description' Cc: Subject: Re: Asynch request/response HTTP binding needed I am always get concerned about the designs that involve a requestor asking the response be sent somewhere else other than the place it originated from, as in >1. node A makes an HTTP POST to node B with a SOAP Request and > information on where to POST the HTTP response to This is prone to misdirecting traffic at a node other than the intended one either unintentionally (in error) or maliciously and could easily play into DoS (Denial of Service) type scenarios. Not sure if WS-Addressing accounts for this aspect.. Prasad -------- Original Message -------- Subject: RE: Asynch request/response HTTP binding needed Resent-Date: Sat, 31 Jan 2004 01:44:02 -0500 (EST) Resent-From: www-ws-desc@w3.org Date: Fri, 30 Jan 2004 22:43:56 -0800 From: David Orchard <dorchard@bea.com> <mailto:dorchard@bea.com> To: 'Sanjiva Weerawarana' <sanjiva@watson.ibm.com> <mailto:sanjiva@watson.ibm.com> , 'Martin Gudgin' <mgudgin@microsoft.com> <mailto:mgudgin@microsoft.com> , 'Philippe Le Hegaret' <plh@w3.org> <mailto:plh@w3.org> CC: 'Web Services Description' <www-ws-desc@w3.org> <mailto:www-ws-desc@w3.org> yup. I agree. The issue about the callback address is related but can be orthogonal to the binding. Dave > -----Original Message----- > From: Sanjiva Weerawarana [mailto:sanjiva@watson.ibm.com] > Sent: Friday, January 30, 2004 4:46 PM > To: Martin Gudgin; Philippe Le Hegaret; David Orchard > Cc: Web Services Description > Subject: Re: Asynch request/response HTTP binding needed > > > "Martin Gudgin" <mgudgin@microsoft.com> <mailto:mgudgin@microsoft.com> writes: > > PAOS is slightly different. It has two MEPs, the one I think you are > > thinking of works as follows: > > > > Given nodes A and B: > > > > 1. node A makes an HTTP GET to node B. > > 2. Node B sends a SOAP Request as the HTTP response. > > 3. Node A responds with a SOAP response in an HTTP POST to Node B. > > 4. Node B responds with some HTTP response ( typically a web page ) > > > > Gudge > > I understood what DaveO wanted as: > > 1. node A makes an HTTP POST to node B with a SOAP Request and > information on where to POST the HTTP response to > 2. node B responds with something like 201 OK > 3. later on, node B makes an HTTP POST to node A with a SOAP Response > 4. node A responds with something like 201 OK > > DaveO?? > > I like this a lot but unfortunately one needs WS-Addressing > or something > similar to send the "information on where to POST the HTTP > response to". > > Sanjiva. >
Received on Thursday, 5 February 2004 04:42:26 UTC