This chapter describes how to validate incoming messages. It covers these topics:
•About Message Validation
•Validating Messages with XML Schema
•Uploading XML Schemas with Dependencies
About Message Validation
The ACE XML Gateway can validate messages to ensure that they are in the form expected by the destination service or consumer. Performing message validation at the ACE XML Gateway relieves endpoints from having to contend with faulty messages, and helps to ensure the security of those resources.
Several methods of validation are possible, depending on the protocol of the service or message format. For XML messages, for example, the ACE XML Gateway can ensure that messages are well-formed XML. It can also check messages against an XML schema. Messages that fail to conform to a schema can be rejected or allowed through with an event logged.
The ACE XML Gateway can verify message arguments, including argument types and values. It can check that messages have an argument and, depending on the type of the argument, test its value. For example, the Gateway can ensure that the value of an integer argument is less than 1000.
Validating Messages with XML Schema
The ACE XML Gateway can validate messages with XML content against an XML schema. A schema prescribes the content and structure of XML documents. By default, the ACE XML Gateway validates SOAP message envelopes against the Web Service Security and the Web Services Utility schemas. If needed, you can add schemas to be used for validation of the SOAP body content.
When a WSDL is imported, the ACE XML Manager generates am XML schema for the services based on the WSDL definition. You can configure message validation with the generated schema or upload and apply another.
To configure schema validation, follow these steps:
Step 1 In the Virtual Services browser, click the virtual service object for which you want to configure schema validation.
Step 2 Click the Edit link next to either the Request Message Specification or Response Message Specification heading, depending on which branch of the ACE XML Gateway message flow you want to have validated.
Step 3 From the SOAP Message Validation menu, choose one of the content validation options, which result in invalid messages being blocked or permitted, with the event being logged. For more information, see "Validation Options" section.
The header validation options appear. By default, headings are validated against WSS and WSU specifications. You can remove the selection from these options to not accept the headings, if desired.
Step 4 Click Upload to import additional XML schemas against which incoming headers may need to conform.
Any XML schemas that appears in the list are applied to header validation. To remove a schema, you will need to delete it from the Validation (XSD/DTD) page.
Note For information about schema dependencies and uploading schemas, see "Uploading XML Schemas with Dependencies" section.
Step 5 In the SOAP Body Content Specification settings, choose how you want the body of the message to be validated. Notice that you can specify a particular element or have messages validated against any schema.
Step 6 Click Save Changes to commit your changes to the working policy.
When the policy is deployed, the ACE XML Gateway validates messages handled by the service definition. If a request does not conform to the configured schemas, a SOAP fault occurs with a
You can choose from a range of message-validation strategies, from no validation to strict validation against multiple schemas. The following tables lists validation options.
Table 10-1 Validation options
With this option selected, the service descriptor tests the response message for simple XML well-formedness. To enable WSDL generation, you can choose an XML Schema that describes the SOAP body. Note, however, that if you choose this option, the message body is not validated against the XML schema.
The service descriptor validates the message against one or more XML schemas. If the content does not comply with the schema, the message is rejected.
The service descriptor validates the message against one or more XML schemas. If the content does not comply with the schema, the event is logged but the message is accepted.
Must be empty
Requires the response from the service to contain an empty message body. The ACE XML Manager hides other validation controls that may have been on the page so that only the SOAP Message Validation menu appears.
Uploading XML Schemas with Dependencies
When you import a WSDL, the ACE XML Manager generates a schema bundle made up of schemas derived from the WSDL contents. For services not described by WSDLs or for other cases, you may need to upload an XML schema directly.
An important point to consider when attempting to upload schemas directly is that some XML schema documents are not complete in themselves. A schema may refer to other XML schema documents to define parts of its schema.
XML schemas reference external resources using "import" or "include" tags. These tags normally have schema-location attributes that tell where to find referenced schemas, but they are not required to. That means that a schema could import or include a schema without providing any information about where to find it. The ACE XML Manager treats such references as advisory—if the referenced schema is already in the policy, it will be used. However, if not, the ACE XML Gateway will not ever look for missing schemas.
If all referenced schemas are location-identified and accessible on the network when a policy is prepared, then the schema validation that uses them should work appropriately, but remember that the availability of remote files may not be reliable.
Like most types of policy resources, you can import a schema from a URL location or a filesystem location. Schemas imported from a URL location that reference other schemas can be uploaded without a problem. However, importing such a schema from a filesystem may take some special effort. For security reasons, the ACE XML Manager will not attempt to resolve these schema references. If you attempt to upload a scheme from a filesystem location that contains such references, you will see an error similar to the following in the Upload XSD Resource page:
File upload failed: XML Schema 'ord.xsd' contains imported or included XML Schema 'prod.xsd' that could not be accessed due to 'java.net.MalformedURLException: no protocol: ord.xsd'
For schema import to work in this case, you can either move the schema file and its dependencies to a web server or bundle them into a ZIP file, which you can then upload in the ACE XML Manager. If you choose to bundle the resources in a ZIP file, the primary schema file needs to be renamed to
root.xsd, so that the ACE XML Manager knows which XSD resource to open first.
To summarize, the steps for uploading a schema resource are:
Step 1 Click the Validation (XSD/DTD) item from the Resources group in the navigation menu.
Step 2 Click the Add a New XSD Resource button.
Step 3 In the Resource Name field, enter a unique name for the resource among XSD resources.
Step 4 Specify the XSD file to be uploaded. The XSD file can be uploaded either from a URL location (by entering the full URL in the URL text field) or at a file location (by browsing to the file in the file chooser dialog box). If uploading the schema from a file location and the schema contains references to other schemas, you must first package the schemas for uploading as follows:
a. Rename the primary schema to
root.xsd. The references to other schemas must be relative to this root schema, usually in the same directory but possibly in a subdirectory.
root.xsd and the schemas it references in a ZIP file.
c. Specify the ZIP file as the schema resource file to be uploaded.
Step 5 Click Upload.
The uploaded schema can now be applied to message validation in request and response specifications.