SOAP (Simple Object Access Protocol) is the foundational, XML-based application protocol used to implement Web services within a SOA (Service Oriented Architecture). SOAP is transported primarily via HTTP and middleware messaging systems (JMS, MQ Series, MSMQ, Tuxedo, TIBCO RV) but can also be transported via other protocols such as SMTP (Simple Mail Transfer Protocol) and FTP (File Transfer Protocol).
SOAP messages generally comprise the following elements:
- Envelope: The SOAP envelope is the root element of a SOAP message and is required. In essence, the envelope contains the SOAP message just as a traditional envelope contains a written letter.
- Header: The SOAP header is optional, and when present it contains application-specific information such as authentication, addressing, and routing details.
- Body: The SOAP body is required, and it contains the actual application message being transported, including the specific remote operation being invoked as well as the data (parameters) being exchanged.
SOAP messages are often large as they must contain the information that applications and clients need to parse the data contained within them and to execute the appropriate logic. As messages increase in size, the processing required on the server increases as well, causing the consumption of resources on the server to increase while decreasing overall capacity. The increase in size can also have an adverse effect on the performance of applications built upon SOAP, as more network resources are required to transfer the messages.
Because SOAP is XML-based, it is vulnerable to a bevy of XML-focused attacks and vulnerabilities, and it is further vulnerable to the attacks associated with its transport layer protocol, most often HTTP.
F5 products that can address the security and performance issues associated with SOAP: BIG-IP Application Security Manager