SOAP frustrations

[Christopher Browne]

After takin a swig o' grog, Derek Thomson <derek at wedgetail.com> belched out...:
> Christopher Browne wrote:
>>>>The problem with many of the SOAP implementations (including those
>>>>for Python) is that the call to the result() method is implicit,
>>>>and you /never/ get a chance to intercept the XML so as to be able
>>>>to do more sophisticated things with it, such as looking for
>>>>encrypted portions and decrypting them...

>>>My unfashionable opinion is that if you want to do RPC, especially if
>>>other languages are involved, then CORBA is a mature enough technology
>>>that probably won't be as frustrating as SOAP to use or to deploy.

>> There's one problem with CORBA: It's nastier to get it through
>> firewalls, because there are lots of reasonably interoperable HTTP
>> proxies, but IIOP proxies are much rarer.

> I predict it won't be easier to run SOAP through firewalls for
> long. Wait until sysadmins realize you are running RPC calls ever port
> 80, and filter incoming SOAP requests out.

> I know forwarding thinking sysadmins already starting to do this, as
> port 80 was *not* opened for RPC, and any attempt to use it as such
> would violate their organization's security policies, and requires
> explicit permission.

> See my previous post here on why this problem cannot be solved
> technically.

I certainly don't disagree with you on the notion that there's a
pretty security issue there.

But that does not contradict the notion that SOAP is somewhat easier
to work with from a "firewalling perspective" since it uses a protocol
(HTTP) for which huge numbers proxies are widely available and widely
deployed, whereas the same is /not/ true for IIOP.

(Note that I wouldn't blindly call that difference /totally/
beneficial; there's lots about HTTP that "sucks," as IIOP is
substantially more expressive and offers much more sophisticated
semantics.)

But the fact remains: You can probably get a CD from AOL that contains
an HTTP proxy, if you microwave it long enough.  In contrast, the
equivalents for IIOP tend to be proprietary and may only interoperate
with a pretty lowest-common-denominator of functionality, as high end
ORB vendors are likely to offer interesting extensions.  (My tongue is
in my cheek, here, but I'm not /totally/ unserious.)
-- 
(concatenate 'string "cbbrowne" "@ntlug.org")
http://cbbrowne.com/info/corba.html
Referring to undocumented  private communications allows one to  claim
virtually anything: "we discussed this idea in  our working group last
year, and concluded that it was totally brain-damaged".
-- from the Symbolics Guidelines for Sending Mail