- From: christopher ferris <chris.ferris@east.sun.com>
- Date: Mon, 11 Jun 2001 08:12:42 -0400
- To: Larry Masinter <LMM@acm.org>
- CC: Henrik Frystyk Nielsen <henrikn@microsoft.com>, Simon Fell <soap@zaks.demon.co.uk>, xml-dist-app@w3.org, xmlp-comments@w3.org
- Message-ID: <3B24B5BA.B2537F3C@east.sun.com>
I echo Larry's concerns regarding this revised proposal. It does little to improve the situation and still does not address how SOAPAction is communicated across different transport protocols. If a SOAP message starts out being communicated over the Frobnaz transport protocol, which does NOT have a SOAPAction header (or even a place to put one) and the message is being sent via a Frobnaz->HTTP gateway, where does the gateway get the appropriate SOAPAction to put in the HTTP headers when it forwards the message to the ultimate destination? Cheers, Chris Larry Masinter wrote: > > > - I would be interested in hearing what you think about that > > > > http://lists.w3.org/Archives/Public/xml-dist-app/2001May/0053.html > > > > I don't see how this has fixed the problem, though: > > # The presence and content of the SOAPAction header field MAY be used by > # servers such as firewalls to appropriately filter SOAP HTTP request > # messages and it may be used by servers to facilitate dispatching of SOAP > # messages to internal message handlers etc. It SHOULD NOT be used as an > # insecure form of access authorization. > > * Exactly how is it that a firewall might use a SOAPAction header > to "appropriately" filter SOAP HTTP request messages? > As far as I can tell, there's not enough information to decide > which requests with which SOAP action headers the firewall should > accept, and which it should reject, or even what a firewall that > rejects such a message should signal its rejection. Treat it as > an attack? The main purpose of firewall filtering is to prevent > unwanted or malicious traffic, but there's no reason to believe that > malicious SOAP messages would contain a correct SOAPAction header. > So I don't think the first application "appropriate filter SOAP > HTTP request methods" has been reasonably justified, at least in > this fragment of text. > > * The second application for SOAPAction headers given is that > it "may be used by servers to facilitate dispatching", but > the only way that a server might use a SOAPAction header would > be if there were some specification of which kind of SOAPAction > headers should be dispatched and which should not, and where > they should be dispatched. Is the SOAPAction header like another > kind of RequestURI? > > So I think this attempted clarification does nothing > to respond to the criticism that the value of the SOAPAction > header is not specified well enough for it to be used for > its stated purposes. > > Larry > -- > http://larry.masinter.net
Received on Monday, 11 June 2001 08:14:51 UTC