Re: Re (tilly) 3: SOAP::Lite dispatch routine

I just don't understand why SOAP is treated so specially. SOAP have not added anything really new. You can roll your own RPC implementations using HTTP and CGIs, SMTP and scripts in /etc/aliases, etc. SOAP can be more convinient in some cases because it is standart and is supported in many languages. And developer who doesn't understand security implications of networking applications can open security holes both in CGI and in SOAP server.

I tend to agree that with SOAP::Lite it is too easy to make mistakes. But it is just fault of SOAP::Lite but not fault of SOAP protocol itself. Adding requirement to specify list of methods which can be remotly called could solve this problem.

--
Ilya Martynov (http://martynov.org/)

Comment on Re: Re (tilly) 3: SOAP::Lite dispatch routine

Replies are listed 'Best First'.
Re (tilly) 5: SOAP::Lite dispatch routine by tilly (Archbishop) on Jan 04, 2002 at 08:03 UTC
Extending my analogy above, SOAP is like buying manufactured cigarettes. No, you don't need to use them to cause damage, but easy availability increases the problem. All of the other RPC mechanisms you discuss suffer from the same problems that I gave for SOAP. And in all of those cases the use of those on servers regularly leads to problems. They don't generally lead to horrible client issues though since the clients at least tend to be relatively solidly designed. (Compare IE with, say, Microsoft Word for security. There is no comparison. IE, for all of its mistakes, had to take it into account from day 1. Microsoft Word, as the routine macro viruses can attest, was not.) There is certainly nothing magic about SOAP that makes it better or worse than them. But I single out SOAP because it is the protocol of choice for would-be buzzword-compliant people (a group who I have distrust and distaste for at best) who want to enable a wide variety of random clients to use a programatic interface to use over the Internet. It is particularly popular among people who want to do the kinds of things that firewall administrators (rightly) are inclined to audit and possibly block. It is even being marketed that way. Therefore I believe that the density of scarily moronic things being done with SOAP is much higher than with the other RPC mechanisms that you mention. If people were being encouraged to open sloppily written Excel spreadsheets over the Internet with another RPC mechanism, I would be just as unhappy with it. But it isn't another RPC mechanism, it is SOAP which has that dubious honor, so it is SOAP I am speaking up about.	[reply]

Replies are listed 'Best First'.

Re (tilly) 5: SOAP::Lite dispatch routine
by tilly (Archbishop) on Jan 04, 2002 at 08:03 UTC

All of the other RPC mechanisms you discuss suffer from the same problems that I gave for SOAP. And in all of those cases the use of those on servers regularly leads to problems. They don't generally lead to horrible client issues though since the clients at least tend to be relatively solidly designed. (Compare IE with, say, Microsoft Word for security. There is no comparison. IE, for all of its mistakes, had to take it into account from day 1. Microsoft Word, as the routine macro viruses can attest, was not.) There is certainly nothing magic about SOAP that makes it better or worse than them.

But I single out SOAP because it is the protocol of choice for would-be buzzword-compliant people (a group who I have distrust and distaste for at best) who want to enable a wide variety of random clients to use a programatic interface to use over the Internet. It is particularly popular among people who want to do the kinds of things that firewall administrators (rightly) are inclined to audit and possibly block. It is even being marketed that way.

Therefore I believe that the density of scarily moronic things being done with SOAP is much higher than with the other RPC mechanisms that you mention. If people were being encouraged to open sloppily written Excel spreadsheets over the Internet with another RPC mechanism, I would be just as unhappy with it. But it isn't another RPC mechanism, it is SOAP which has that dubious honor, so it is SOAP I am speaking up about.

[reply]