Firewall Wizards mailing list archives
Re: SOAP/XML Protocol and filtering, etc.
From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 8 May 2001 08:43:57 +1000 (EST)
In some email I received from Mark Nottingham, sie wrote: [...]
I tend to think of SOAPAction this way, recently; A malicious user cooperating with an external server can easily work to get arbitrary messages through a firewall or proxy that allows HTTP to pass through. This possibility is independent of SOAP; while they might use SOAP toolkits for convenience, they could just as easily modify them, or cook them up separately.
That's where a DTD would help
For example, a company may decide that it doesn't want purchase orders to be sent by SOAP, but doesn't mind other services, like stock quotes. If option #2 were implemented, it could block any messages with a SOAPAction containing the namespace URI of known purchase order messages.
This presumes that all web sites will use the _same_ SOAPAction for purchase orders. Why can't I use the name MorkAndMindy as the bit which identifies the SOAPAction even though it is a purchase order? How much work is required in discovering what known purchase orders look like ?
The questions that this brings up, then, are: - does this offer significant value over traditional URI filtering?
If you can actually give it some meaning (as in have a DTD), then yes. Otherwise you are just filtering "free form" structured text.
Re: DTD - I think you mean valid, not well-formed. I'm not sure what value this would add, except to get errors back more quickly ;) AFAIK, I don't think there can be a DTD for SOAP documents, because they're not strictly valid; they contain tags from a number of namespaces, and are dynamically constructed from modules (what we're calling 'blocks' now).
Right. My comment about DTDs was more wishful thinking than anything else. Even then that only helps ensure correctness and not content unless the language spec. says certain things...hmm...I'm not yet familiar enough with what can be done with "xmnls" things - can that be used to enforce structure? The goal here is admirable but I think it's effort mis-spent if the only raison-d'etre for this is for assistance to firewalls. Look at what a hit PICS has been for rating web sites so they can be correctly filtered. Afterall, the people who are providing content want to maximise their target audience, not provide helpful hints to foreign firewalls to filter it out. Cheers, Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- SOAP/XML Protocol and filtering, etc. Mark Nottingham (May 07)
- Re: SOAP/XML Protocol and filtering, etc. Darren Reed (May 07)
- Re: SOAP/XML Protocol and filtering, etc. Mark Nottingham (May 07)
- Re: SOAP/XML Protocol and filtering, etc. Darren Reed (May 08)
- Re: Re: SOAP/XML Protocol and filtering, etc. Barney Wolff (May 08)
- Re: SOAP/XML Protocol and filtering, etc. Mark Nottingham (May 07)
- <Possible follow-ups>
- Re: SOAP/XML Protocol and filtering, etc. Bill_Royds (May 07)
- RE: SOAP/XML Protocol and filtering, etc. Dawes, Rogan (ZA - Johannesburg) (May 07)
- RE: SOAP/XML Protocol and filtering, etc. Nigel Willson (May 10)
- RE: SOAP/XML Protocol and filtering, etc. Dawes, Rogan (ZA - Johannesburg) (May 10)
- Re: SOAP/XML Protocol and filtering, etc. Darren Reed (May 07)