• To: xml-dev@l...
• Subject: Re: SOAP-RPC and REST and security
• From: Gavin Thomas Nicol <gtn@r...>
• Date: Tue, 19 Feb 2002 23:49:52 -0500
• In-reply-to: <JISRSOOTTOIH1UTQC8TNJFVSSPHCF.3c7316a4@MChamp>
• Organization: Red Bridge Interactive, Inc.
• References: <JISRSOOTTOIH1UTQC8TNJFVSSPHCF.3c7316a4@MChamp>

On Tuesday 19 February 2002 10:23 pm, Mike Champion wrote:
> So, what's the current thinking about SOAP-RPC as a security risk in
> *plausible* scenarios where business services are exposed via SOAP? 
> And is it generally accepted that a REST-ful worm couldn't happen,
> or is this wishful thinking on my part?  I guess if you give me PUT
> access I could send you a virus that did all sorts of harm, but I'd
> still have to [expletive deleted] you into running it ... with RPC, a mechanism
> exists for the remote user to execute code directly.

Given that most initial RESTful applications will use HTTP, I can't 
see how they'd be intrinsically any safer than SOAP over HTTP. 

FWIW. One of the basics of security is the notion of "least privilege" 
which web services (indeed the web in general) almost explicitly goes 
against because of the global namespaces. 

• Follow-Ups:
  • Re: SOAP-RPC and REST and security
    • From: Paul Prescod <paul@p...>

• References:
  • SOAP-RPC and REST and security
    • From: Mike Champion <mc@x...>

• Prev by Date: SOAP-RPC and REST and security
• Next by Date: Re: SOAP-RPC and REST and security
• Previous by thread: SOAP-RPC and REST and security
• Next by thread: Re: SOAP-RPC and REST and security
• Index(es):
  • Date
  • Thread