- From: Mark Baker <distobj@acm.org>
- Date: Thu, 12 Jan 2006 17:28:24 -0500
- To: David Hull <dmh@tibco.com>
- Cc: xml-dist-app@w3.org
On 1/11/06, David Hull <dmh@tibco.com> wrote: > > still impact HTTP intermediaries, in particular in this case, > > firewalls, which require knowing what's a request and what's a > > response to do their job properly. Consider that if SOAP requests > > could arrive as HTTP responses (PAOS anyone?), that this would be a > > serious security problem. > > At the risk of sounding repetitious, what do you see as the security (or > other) problem? Well, the job of the firewall is to restrict access to services situated behind it, which it does by, amoungst other things, limiting the kinds of requests that can be made of these services. In order to be able to do that, it has to be able to identify all messages which are requests. Now, if a request is tunneled through a response, then it will not see it, thereby enabling that request to bypass the access restrictions that the firewall is applying (or trying to). Mark.
Received on Thursday, 12 January 2006 22:28:38 UTC