Message-based Security for non WS-*, non-XML Use Cases

, Dec 6, 2006

Stu Charlton writes about message-level security features:

The question is — why did we need to build these in a SOAP/XML stack that broke the semantics of HTTP and treats all other forms of data as second-class citizens?

I don’t think XML is the centre of the web universe — JSON is catching on like fire, and binary media types continue to grow in variety, etc. For some reason, people thought that all that businesses want is text data — the binary stuff can be shoved into Base64 or MIME attachments. What happens when we need to apply our XML security specs on top of them? Oops! — enter MTOM. Today, if I want to secure non-XML data within an XML-based security network, I have many layers of inert redundancy and complexity.

I totally agree. I tried to highlight the lack of a need for something like MTOM in REST in my BeJUG presentation — one more example of a problem that could have been avoided had people used the Web instead of abusing it.