axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Senaka Fernando" <sen...@wso2.com>
Subject Exposing Transport Headers to a Service
Date Tue, 12 Feb 2008 10:37:04 GMT
Hi all,

Based on Dave's request, I have added the ability for a service to observe
incoming Transport Headers. I think this is a valid requirement of a
Service Author.

Also, this creates some concern about security of a client-request.
However, I believe that we can answer these issues in this manner.

1. A client must trust a service he/she would like to access
2. Intermediate Transport nodes must be aware that sensitive information
should only reach desired destinations, and if it goes elsewhere that is a
problem of the underlying Transport (the interface between client/server).
3. According to our architecture we do not bother about Transport Level
Security within the client/server interface, with regard to headers.
4. Even if we uphold this fix, the user can still tweak it.
5. This imposes no threat to Service security which is the engine's
primary concern.
6. Also, we do provide functionality on the client side to pre-determine
whether valid requests are made before forwarding sensitive information
such as usernames and passwords.

However, I would like to know your thoughts on this fix, [1].

[1] https://issues.apache.org/jira/browse/AXIS2C-981

Regards,
Senaka

---------------------------------------------------------------------
To unsubscribe, e-mail: axis-c-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-c-dev-help@ws.apache.org


Mime
View raw message