I just read a letter to the editor in a German computer magazine that concisely expresses a lot of how I’ve felt about the webservices hype in general. From <cite>iX 9/2002, pg 9</cite>:
For the same reason that an administrator closes RPC ports against outside access, that is, to prevent strangers from arbitrary calling code on the machine, he would have to close port 80 as soon as a mechnism to execute arbitrary functions is available on it.
If there is to be any security in allowing access from outside the intranet, there will have to be something like a semantic firewall analysing traffic and possibly filtering it. Not only the complexity makes this approach questionable – without a disproportionate amount of processing power in the firewall, it is not feasible to avoid denial of service attacks against a server on a high bandwidth connection.
I think it is much simpler to just communicate SOAP traffic through a separate port.
Really in the course of its future SOAP will have to reinvent all the security (and not only) mechanisms that DO, RMI, CORBA and friends already offer – and all this based on a protocol with very high redundancy.
So far, I struggle to perceive this as progress.
I couldn’t agree more.
Makeshifts last the longest.