« REST Security (or lack thereof) | Main | Neal Stephenson on Transport Level Security Versus Message Level Security »


Mark Baker

Good stuff, but again, you are continuing to misuse the word "REST" by using it as some sort of synonym for current practice with HTTP & URI.

REST does not require HTTP
REST cannot be compared to WS-*
You can use WS-Security RESTfully



>REST does not require HTTP

Fair enough. All of the example security mechanisms proposed in at the begning of this meme by REST folks fall back to HTTP

>You can use WS-Security RESTfully

Right, and not only that, but the key primitives that WS-Security uses, like XML Enc and XML Sig, are open so there is nothing to stop REST for using the same.

Dan Pritchett

Great post. The separation of SSL from security of the message is a concept that is often lost on SOAP developers as well. The need to move to more intelligent routers to handle a variety of QoS tasks is pushing SSL termination further from the application server. Assuming that your SSL connection is getting anywhere near your application is a fallacy.


Dan, By my estimate it is lost on 72% of SOAP developers

Mark Baker

REST discussion does tend to fallback to HTTP when talking about using it in practice, because HTTP is the only protocol in existance that resembles REST's uniform connector. FWIW, another one - Waka, intended as an HTTP replacement - will have its spec published soon. It will be interesting to see if it includes or suggests an approach to message based security.

The comments to this entry are closed.