xml-soap-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steven J. McDowall" <sjmcdow...@uswest.net>
Subject RE: add doGet support
Date Fri, 11 Aug 2000 18:17:19 GMT

I still don't like this approach for a couple of reasons..

1) You are overloading the functions for RPCRouter by adding Admin logic
to it, which has nothing to do with RPCRouting at all.. THis is bad software
engineering..

2) There IS a security issue.. Many web servers can assign ACL's based on
URI/URL but in your case it is on the METHOD (POST/GET) which is very rare
and not obvious..

3) the "admin" URL already does what you want mostly.. If you want XML
back from any requests, then I think it logical to put a Servlet for
that sort of Admin processing somewhere under the "admin" tree ..

I'm not saying that the idea isn't useful, but it does not belong
in RPCRouterServlet IMO.

-Steve



-----Original Message-----
From: dug@us.ibm.com [mailto:dug@us.ibm.com]
Sent: Friday, August 11, 2000 10:55 AM
To: soap-dev@xml.apache.org
Subject: Re: add doGet support





I wasn't necessarily thinking of having 'write' operation just 'read' ones
(wanting to keep it a simple URL).
But if there's a security issue with this then wouldn't there be one with
the
Admin stuff?
-Dug


"Wouter Cloetens" <wcloeten@raleigh.ibm.com> on 08/11/2000 12:24:54 AM

Please respond to soap-dev@xml.apache.org

To:   "soap-dev@xml.apache.org" <soap-dev@xml.apache.org>
cc:
Subject:  Re: add doGet support



On Fri, 11 Aug 2000 09:52:23 -0400, dug@raleigh.ibm.com wrote:

>I have a change to RPCRouterServlet.java that I'd like to
>get feedback on.  Rather than simply returning an error on a
>doGet request, I've added code so that doGet will support
>some of the simple ServiceManagerClient requests.

Uh, are you sure that's a good idea? I'm thinking security here. I
don't want everybody who can send SOAP requests to my server to
actually be able to *administer* my SOAP service manager... I'm not
sure all webservers out there have the ACL granularity allowing POST
requests to go unauthenticated, but forcing a login for GET to the same
URI.

bfn, Wouter
--
http://www.workspot.net/~zombie/soap/
My opinions are irrelevant. They will be assimilated by my employer.






Mime
View raw message