- From: Henrik Frystyk Nielsen <frystyk@microsoft.com>
- Date: Wed, 25 Apr 2001 12:09:50 -0700
- To: <xml-dist-app@w3.org>
- Cc: <soapbuilders@yahoogroups.com>
This relates to issue 95 [1] and 22 [2].
Given the recent discussion on soapbuilders and xml-dist-app regarding
the use of SOAPAction header field I propose the following clarification
to the text in the SOAP/1.1 spec. The current text in section 6.1.1 says
The SOAPAction HTTP request header field can be used to
indicate the intent of the SOAP HTTP request. The value
is a URI identifying the intent. SOAP places no restrictions
on the format or specificity of the URI or that it is
resolvable. An HTTP client MUST use this header field
when issuing a SOAP HTTP Request.
soapaction = "SOAPAction" ":" [ <"> URI-reference <">
]
URI-reference = <as defined in RFC 2396 [4]>
The presence and content of the SOAPAction header field
can be used by servers such as firewalls to appropriately
filter SOAP request messages in HTTP. The header field
value of empty string ("") means that the intent of the
SOAP message is provided by the HTTP Request-URI. No
value means that there is no indication of the intent of the
message.
The proposal goes as follows:
* * * * *
The presence of the SOAPAction HTTP request header field indicates that
this is a SOAP HTTP request. The value of the SOAPAction header field is
used to indicate the overall intent of the SOAP HTTP request with the
purpose of providing the recipient with a hint about what the SOAP
message contains:
soapaction = "SOAPAction" ":" [ <"> URI-reference <"> ]
URI-reference = <as defined in RFC 2396 [4]>
An HTTP client MUST use this header field when issuing a SOAP HTTP
Request. An HTTP server MUST NOT process an HTTP request as a SOAP HTTP
request if it does not contain a SOAPAction header field.
If a SOAP HTTP request is required but no SOAPAction header field is
present then the server SHOULD use a 425 (SOAPAction Required) status
code (*).
The value of the SOAPAction header field is a URI-reference as defined
by RFC 2396. The URI can be either absolute or relative. If the
SOAPAction URI is a relative URI, it is interpreted relative to the
Request-URI. The relative URI "" (empty string) indicates that the
SOAPAction URI is the same as the Request-URI. An empty value (without
quotes) means that there is no indication of the intent of the message.
SOAP places no restrictions on the specificity of the URI or that it is
resolvable. However, it is STRONGLY RECOMMENDED that the URI be globally
unique and stable over time.
Often the value of the SOAPAction header field is related to the
contents of the SOAP Body element but there is no mechanism for
automatically computing the value based on the SOAP Body element.
The presence and content of the SOAPAction header field MAY be used by
servers such as firewalls to appropriately filter SOAP HTTP request
messages. It SHOULD NOT be used as an insecure form for access
authentication.
* * * * *
*) We have to check that 425 is free (it is intended as a new status
code). The reason for using a new status code is that there is currently
no mechanism for indicating that SOAP HTTP requests are expected and not
just POST of any old data (including SOAP messages without SOAPAction
header field). There are no existing status codes that cover this case
and SOAP/1.1 is silent on the issue.
Comments?
Henrik
[1] http://www.w3.org/2000/xp/Group/xmlp-issues#x95
[2] http://www.w3.org/2000/xp/Group/xmlp-issues#x22
Received on Wednesday, 25 April 2001 15:12:50 UTC