SOAP frustrations

Derek Thomson derek at
Fri Oct 18 16:30:12 CEST 2002

Hi John,

John Keeling wrote:
> Over the internet, you really want to use Web Services rather than
> CORBA, because CORBA/IIOP uses multiple ports that have to be
> explicitly allowed on the firewall ( on both the client and server
> side). This is an admin and security issue.

Yes. It *is* a security issue. By misusing port 80 for remote procedure 
calls, you are violating the contract between you and your sysadmin, and 
quite likely violating your organization's (our your client's) security 
policy. That port was opened to allow web pages to be served up, not to 
run bits of arbitrary code on request.

If I were a sysadmin, I'd be blocking anything that looks like SOAP at 
the firewall. Sysadmins I've spoken to about SOAP have reacted with 
horror when I explain the nature of SOAP, and have started writing 
little filters already ;) Expect a few "anti-SOAP" scripts on 
sourceforge any time now.

The problem with this whole firewall issue is that it's a political and 
organizational one. It *cannot* be solved technically. If you want RPC 
you have to allow it through the firewall. Many developers/deployers 
don't even think to find out what the admins think at the deployment 
site, or even what the security policy is, and certainly don't do what 
they *should* do - which is to involve the admins who are looking after 
the target system.

Instead, they get all upset when the admin, who has a professional 
responsibility for the security of his users' data, refuses to just open 
up random ports without notice. Then the deployer views the admin as the 
problem that must be "worked around".

Enter SOAP and misusing port 80 to get RPC requests throught without 
needing a anyone's authority. All that will happen is the sysadmins will 
be forced to filter it, and you are back to square one.

The lesson is - you can't hack around a problem like this. You have to 
negotiate, and get all the people who will be impacted by your 
development involved from day one. Sure, they might say, "this is 
against our policy, it will never be allowed", but isn't it better to 
find that out *before* starting? Then, if you want, you can work to 
change the policy. Screwing around with port 80 is going to cause a lot 
of ill-will. The first time a SOAP request comes through that runs some 
random bit of code that causes some damage, you can fully expect to be 
hung out to dry for it.

Organizations have security policies for a reason. Hacking around them 
will *never* end well.


More information about the Python-list mailing list