• Feeds

    Subscribe in a reader

  • Ads

More on routing

Wednesday, June 16 2004 - blog

Jef Newsom is also taking a crack at building a transport-independent SOAP router using WSE. I have a couple of observations on his implementation.

Using Pipeline.IsIntermediary = true. That sound you hear is me slapping my forehead going “why didn’t I think of that?” Setting this should allow the incoming message to be resent using SoapSender.Send(), thereby eliminating the need to clone the full body of the message using SoapEnvelope.LoadXml(). I’ll have to test that one out.

Pipeline.IsIntermediary has an interesting effect on the XML contents of a SoapEnvelope. When IsIntermediary is set to false, the XML representation of a header is removed from the envelope when the header is processed by a filter. To see this, set a breakpoint inside of a SoapReceiver and look at the OuterXml of the envelope currently being processed – if IsIntermediary is false, there will be no addressing headers in the resultant XML string.

This has a subtle implication when it comes to security. In my implementation, the outbound message leaving the router would not contain any of the security tokens present in the incoming message. This is because I have Pipeline.IsIntermediary = false and are creating the outbound message directly from the XML representation of the incoming message. In Jef’s implementation, those tokens will not be removed from the message and will therefore be transmitted across the router. I’m not sure if this is a feature or a bug. Is trust point-to-point, or end-to-end?

Sending messages directly through an OutputChannel.  I’m pretty sure that this is a bug, and really not the right thing to do. Jef’s implementation circumvents SoapSender.Send() and puts the message directly on the wire using an OutputChannel obtained from SoapTransport.StaticGetOutputChannel(). This does result in message transmission, but circumvents the router’s outbound pipeline. As a result, Jef’s router will not be able to sign or encrypt messages, or have policy applied to its outbound messages. Given that security tokens are being propagated, I think this is definitely a bad thing.

Tagged as:

#1 Softwaremaker on 11.27.2004 at 4:31 PM

I have further taken your subject of Trust being Point-to-Point or End-to-End in a post of mine here.http://www.softwaremaker.net/blog/PermaLink,guid,1508b8a2-a4f5-49a3-beb4-15725f0b0f59.aspxFeel free to comment on it.