Re: SUDS: the SOAP Universal Delivery System

Date view Thread view Subject view Author view

From: Justin Mason (jm@netnoteinc.com)
Date: Tue Oct 03 2000 - 05:53:20 PDT


Jeff Bone said:

> My IRC client connects to the EFNet server and provides my information,
> with authentication information, along with the SUDS address of my
> identification service. EFNet contacts the indicated SUDs server, which
> then "connects" my identd ser vice at the provided SUDS address with
> EFNet. The SUDS server brokers this connection be tween my identd
> service and the EFNet server and basically just proxies things back an d
> forth at that point.

So the SUDS server is essentially a proxy for the identd service...

Here's the idea I had in Iona about similar stuff (but regarding IIOP at
that time). Brain dump to follow!

Most firewall admins would prefer if *they* could run a SUDS server, and
then apply ACLs to the SOAP services they can allow in and out; ie.

  * allow the "whos_there()" method on the identd services running on the
  internal IP addresses,

  * but don't allow the 'get_me_r00t()' method for anybody

This is a similar setup to the concept of firewall admins allowing
external-to-internal accesses to port 113/tcp (ident) but disallowing port
2049/tcp or 2049/udp (nfs == horrific security problems). The only
difference is that you're doing ACLs for SOAP services instead of simple
IP packets.

If you do it this way, you can actually get the admins on your side to a
certain extent -- it beats other protocols, where, let's say, VP
Engineering swans down to IS and demands that "the firewall be opened for
the {foo} service", and the firewall people cannot find any proxying or
security software for {foo}. In that setup, the firewall people have no
choice, they simply have to hope for the best.

The big problem with proxies is, quite often, kludging it into the
protocol; most protocols haven't been designed with proxies in mind. I
don't know enough about SOAP, but the message format seems a lot more open
than IIOP was... it could be easier to do this in SOAP.

BTW the (neat) naming scheme is essentially a "proxified" address!

I'd forward on a reference to the Iona firewall proxy white paper, which
explains my thinking on this stuff in a lot more detail, but it seems to
have disappeared from their site. ah well...

--j.


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Tue Oct 03 2000 - 06:02:00 PDT