Re: [xml-dev] What Does SOAP/WS Do that A REST System Can't?
by Rich Salz other posts by this author
Apr 13 2005 8:00PM messages near this date
Re: [xml-dev] What Does SOAP/WS Do that A REST System Can't?
|
Re: [xml-dev] What Does SOAP/WS Do that A REST System Can't?
& XSLT > The claims you are making are rather strange.
Sorry. What seems strange. It might be more effective for me to
explain myself better, than to try to go into further explanation.
> Thanks for the analysis of both these methods, but you missed the point.
> I brought them up to demostrate that HTTP auth is extensible.
Yes, you're right, I missed the point. (Wasn't the first time,
won't be the last. :)
As I understand it, HTTP auth is somewhat extensible. A client
can make a request, and the server can respond with a challenge.
The client uses that challenge to authenticate itself, re-issue
the request, and verify the server's identity.
How can the client get the server's identity before sending any
"real" data? A well-known URI or a new method? How can the server
challenge the client to prove it's identity without requiring state
on the server?
I believe the very statelessness of HTTP and REST makes it
impossible. (Yeah, I know, it's not really without state, it's just
that all the state is in the representations sent back and forth.
Not good enough -- you need *shared state* that doesn't get
communicated. Go see the SSL/TLS or WS-SecureConversation specs.)
Also, by the rules, all data the client sends should be POST not
GET since they're not idempotent. The minute all your data transfers
are POST, most of the HTTP/REST benefits vanish.
> If the current
> schemes don't meet your requirements why aren't you working within
> the HTTP framework to define an authentication mechanism that *does*
> meet your needs.
Not to be flip, but why should I? I'd say the onus is on the
HTTP/REST community to prove me wrong. They may not care to do so,
or be competent to do so, and that's fine -- they're certainly
under no obligation to oblige me. But on the other hand, they
can't bitch until they knock down my arguments. :)
The challenge is pretty simple to explain, actually. Design a
REST implementation of SSL.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
-----------------------------------------------------------------
The xml-dev list is sponsored by XML.org <http://www.xml.org> , an
initiative of OASIS <http://www.oasis-open.org>
The list archives are at http://lists.xml.org/archives/xml-dev/
To subscribe or unsubscribe from this list use the subscription
manager: <http://www.oasis-open.org/mlmanage/index.php>
Thread:
Claude L Bullard
Marc de Graauw
Joe Gregorio
Bill de hÓra
Michael Champion
Uche Ogbuji
Jan Algermissen
Uche Ogbuji
Rich Salz
Jan Algermissen
Rich Salz
Michael Champion
Bill de hÓra
Michael Champion
Uche Ogbuji
Bill de hÓra
Robert Koberg
Peter Hunsberger
Michael Champion
Leigh Dodds
Jan Algermissen
Leigh Dodds
Bill de hÓra
Michael Champion
Leigh Dodds
Michael Champion
Rick Marshall
Bill de hÓra
Robert Koberg
Rich Salz
Leigh Dodds
Rich Salz
Leigh Dodds
Rich Salz
Leigh Dodds
Andrzej Jan Taramina
Rich Salz
Bob Foster
Jan Algermissen
Mark Baker
Michael Champion
Michael Champion
Mark Baker
Mark Baker
Michael Champion
Bill de hÓra
Rich Salz
David Lyon
Rich Salz
Joe Gregorio
Rich Salz
Joe Gregorio
Saptagirisa N
Arvind Singh
Rich Salz
Joe Gregorio
Rich Salz
Joe Gregorio
Rich Salz
Dave Pawson
Mark Baker
Joe Gregorio
Mark Baker
Rich Salz
Michael Champion
Elliotte Rusty Harold
Joe Gregorio
Michael Champion
Jan Algermissen
Bill de hÓra
Joe Gregorio
Charles Woerner
Rich Salz
|
