On Mon, May 07, 2001 at 12:01:07AM -0400,
Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:
OK.. I've read section 6 of http://www.w3.org/TR/SOAP several times,
and I'm frankly dissapointed.
Unless you find a way to codify that the site has to tell the
truth in the SOAPAction, it's a non-starter. Consider that
the user behind a firewall could, in conjunction with a site
that supported it, just tack onto the end of the URL a
&callit=whateverSoap
and the web site could just label it with SOAPAction=whateverSoap
will get through the firewall.
I don't read SOAPAction as trying to solve world hunger; it merely
provides information about the payload that may be useful in
identifying it. Of course someone can circumvent this, but that's a
problem that doesn't originate with SOAP, but the underlying transfer
protocol (HTTP in this case).
I.e., if two parties can coordinate, and wish to get through a
firewall which allows HTTP to pass, they have a multitude of options.
SOAP is one of them, but they could build their own as well. All that
SOAPAction does is allow spec-abiding SOAP messages to be identified.
My original question was whether this behaviour was useful; although
firewalls can (and some undoubtably will) break open the XML to try
and figure out what's inside, SOAPAction gives those who merely wish
to have some reasonable control over what SOAP messages pass into and
out of their network.
I'll take it to the firewall lists pointed out, thanks.
--
Mark Nottingham, Research Scientist
Akamai Technologies (San Mateo, CA USA)