Posted by kohsuke
on May 30, 2006 at 11:42 AM PDT
Arun brought a comment to his session to my attention, in which an user made some interesting comments about web services. Since I work on the JAXB RI, so I know a thing or two about the issue he's talking about.
Arun brought this to my attention, in which pinus made some interesting comments. Since I work on the JAXB RI, so I know a thing or two about the issue he's talking about.
He first says:
"Schemas should be used as data type descriptions, not as validation mechanisms. Avoid complexity unless it’s required, and avoid schema constructs that do not map well onto programming languages."
This is a really bad idea!
We never suggested that you shouldn't use schema for validation. What we mean is that it's normal for schemas to be unable to capture all the validation constraints. There's always constraints that can't be captured by the schema, such as check digit in the code, referencial integrities, name uniqueness, and etc.
Therefore, schema authors should avoid complicating schemas too much in an attempt to capture more constraints in the schema. That just makes your schema hard to read for both humans and databinding tools like JAXB.
pinus also talks about DoS attack, but it's somewhat orthogonal to how your schema looks like, since his attack is just exploiting a system that loads the entire document into memory. It's equally possible to mount such an attack on a system that doesn't use schema at all.
Furthermore, speaking of DoS, there are similar "better" attacks that you can mount on any XML-based system, even to those that don't load the entire XML into memory. For example, you can send infinitely many attributes (XML spec doesn't place any limitation on the number of them) and that's often enough to saturate the server's memory.
So, my point is that, while these DoS attacks are possible, it's by no means limited to web services. XML over HTTP (or for that matter any stand-alone application that processes XML) is equally prone to these attacks.
pinus also claims that WSDL-based web services are 100 times slower, but he doesn't say what he's comparing it against (sure, it could be 100 times slower than an ordinary local method call.) So I'll be just point one thing. He implies that his web service toolkit is using DOM behind the scene, but if you are using JAX-WS (especially the 2.0.1 rearchitecture work, but probably also true with JAX-WS 2.0 FCS), then it will not use DOM at all.
That said, finally, I agree with his comments like "Looking at the XML specifications, the J2EE 1.4 specifications look like beginners literature.". The complexity just baffles me, and for all my hobby projects I never needed any of those; XML over HTTP is good for me.
For those who are in the same camp, you might find this an amusing read.