Page 2 of 2

Posted: Fri Nov 09, 2007 4:21 am
by Jenk
Hockey wrote:
That still begs the same question.. how is SOAP more secure than REST when both use the same HTTP service. SOAP is a defined XML format, still uses strings over HTTP. REST is a dynamic string over HTTP.
Well the fact that REST advocates seem to stress the importance of "stateless" behavior makes it less secure. Sure you could integrate authentication but without sessions or something, you would have to pass the user/pass in everytime you make a request, so unless you used HTTPS, wouldn't that be insecure?

As for the use of an API key...I have considered possibly using something like a private key implementation to encrypt the messages...

Maurgim, thanks for that OAuth...I'll certainly check it out.

Cheers :)
SOAP is not stateful, either, and you still have perfectly accessible sessions.