I tried using SOAP::Lite with a GSI proxy certificate, following these instructions:
I found that if the site I tried to access returned an HTTP redirect, then SOAP::Lite would follow the redirect without confirmation (but still using my GSI certificate to authenticate the connection). For example, if I do:
$service = SOAP::Lite -> service( "http://untrusted.server/service.wsdl" );
$service -> doSomething ( );
Then untrusted.server can cause me to invoke "doSomething" on any service of its choice, using my credentials.
RFC 2616 says:
This class of status code indicates that further action needs to be
taken by the user agent in order to fulfill the request. The action
required MAY be carried out by the user agent without interaction
with the user if and only if the method used in the second request is
GET or HEAD.
Since the SOAP message was a POST, this shouldn't have worked I think.