- From: John Kemp <john.kemp@nokia.com>
- Date: Thu, 12 Jan 2006 20:03:28 -0500
- To: "ext Mark Baker" <distobj@acm.org>
- Cc: David Hull <dmh@tibco.com>, xml-dist-app@w3.org
On Jan 12, 2006, at 5:28 PM, ext Mark Baker wrote: > > On 1/11/06, David Hull <dmh@tibco.com> wrote: >>> still impact HTTP intermediaries, in particular in this case, >>> firewalls, which require knowing what's a request and what's a >>> response to do their job properly. Consider that if SOAP requests >>> could arrive as HTTP responses (PAOS anyone?), that this would be a >>> serious security problem. >> >> At the risk of sounding repetitious, what do you see as the >> security (or >> other) problem? > > Well, the job of the firewall is to restrict access to services > situated behind it, which it does by, amoungst other things, limiting > the kinds of requests that can be made of these services. In order to > be able to do that, it has to be able to identify all messages which > are requests. Now, if a request is tunneled through a response, then > it will not see it, thereby enabling that request to bypass the access > restrictions that the firewall is applying (or trying to). Firewalls certainly come in different varieties, and some will be smarter than others. But as something to which a SOAP message has been dispatched (whether it's a SOAP request or a SOAP response) why is it any more of a security risk to be dispatched a (SOAP) request message that was in response to an (HTTP) message I sent than it is to get a SOAP response to a SOAP request I sent? From a course- grained firewall (one that doesn't inspect the contents of the HTTP response I guess) perspective, the HTTP response is still related to the request that was sent, and the HTTP response is sent back to the agent that initiated the HTTP request -- in both cases. Speaking only to the PAOS question, I would note that the user agent receiving the HTTP response here will have explicitly advertised the service it offers specifically to the HTTP server with which it is interacting (via the PAOS HTTP header, during the HTTP request), making this more secure in some respects than the reception of an unsolicited SOAP request, which was not initiated by some action at the associated user agent (such as the user explicitly requesting some URL). Cheers, - JohnK
Received on Friday, 13 January 2006 01:04:04 UTC