1

Calling a resource from a REST service causes the webbrowser to display the message:

enter image description here

The server on which the REST service is deployed (localhost) only provides a secured HTTPS connection. So I realy have no idea what the root cause of that waring is. This is the xml file received by the web browser.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<category xmlns="https://localhost/" id="1">
    <description>des_swdevelopment</description>
    <name>swdevelopment</name>
</category>

The xsd file on server side looks like:

<?xml version="1.0" encoding="ISO-8859-1"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="https://localhost/"
    targetNamespace="https://localhost/" elementFormDefault="qualified"
    xmlns:pref="https://localhost/" >

    <xs:element name="category">
        <xs:complexType >
            <xs:sequence>
                <xs:element name="description" type="xs:string" />
                <xs:element name="name" type="xs:string" />
            </xs:sequence>
            <xs:attribute name="id" type="xs:integer" />
        </xs:complexType>
    </xs:element>

</xs:schema>

The security warning provides two options. If I choose 'YES', the browser just displays: des_swdevelopmentswdevelopment The 'No' option displays the xml file correctly and the sniffed networktraffic by using RawCap is:

enter image description here

According to the pcap file I assume that the waring is concerned with the http://www.w3.org/2001/XMLSchema url defined in the xsd file.

Is that right and what do I need to prevent this warning?

[EDIT :] This is my project setup:

enter image description here

My-Name-Is
  • 4,814
  • 10
  • 44
  • 84
  • Your packet capture shows an SSDP packet (UPnP/autodiscovery), over UDP, which almost certainly has nothing to do with what you're trying to do. What else is there? What pulls the XSD file? (I'm not sure there is much point in what you're doing since it's quite unlikely that you're going to server XML to the browser in practice.) – Bruno Jul 25 '13 at 16:51
  • The resources are normally requested by an web client. I just stumpled over that warning by solving a project error, thus I just used the web browser to do a @Get request. Interesting is, that the only difference in the pcap file between pressing 'YES' and 'No' is that there is this sequence of SSDP packages at the end of the traffic. What do you mean by, what pulls the XSD file? – My-Name-Is Jul 25 '13 at 17:11
  • Ah, OK. So you're saying there's a page with an AJAX call that gets the first document (``)? The SSDP stuff is just a regular broadcast, nothing to do with pressing yes/no. What would make the browser get the second document (the XSD file)? – Bruno Jul 25 '13 at 17:26
  • Ah, the XSD file causes that warning. With FireFox 22.0 displays the xsd file without any warings. But IE 9 is prevents it to be displayed. With the message: `Only secure content is displyed` and a button: `Show all content`. So it seems that there is a problem with `http://www.w3.org/2001/XMLSchema` What is the workaround for that? – My-Name-Is Jul 25 '13 at 17:37
  • Why would the XSD file be retrieved at all? That's my question. Do you have JavaScript code that also validates the XML? You also seem to be assuming that URIs in `xmlns` are meant to be dereferenced: these URIs often match the URLs of their respective schemas, but that's certainly not a requirement to have it match the schema location. – Bruno Jul 25 '13 at 17:48
  • Yes, client side validation is considered to be done somwehere in future. I removed all the namespace definitions in the xsd and xml files whose value is `xmlns="https://localhost/"` The server side validation works well as before, but the web browser shows the warning as before. – My-Name-Is Jul 25 '13 at 18:13
  • I tried to remove the `xmlns:xs="http://www.w3.org/2001/XMLSchema"` definition in the xsd file which is the only `http` link. But this causes that the type definitions in: `` can't be resolved anymore and the eclipse IDE raises the error: `s4s-elt-schema-ns: The namespace of element 'element' must be from the schema namespace, 'http://www.w3.org/2001/XMLSchema'.` – My-Name-Is Jul 25 '13 at 18:14
  • You could try to host `http://www.w3.org/2001/XMLSchema.dtd` locally on your site and use `xs:schemaLocation="http://www.w3.org/2001/XMLSchema https://yourpathto/XMLSchema.dtd"`. – Bruno Jul 25 '13 at 18:21
  • Unfortunately this gives me an error: `s4s-att-not-allowed: Attribute 'xs:schemaLocation' cannot appear in element 'schema'.` – My-Name-Is Jul 25 '13 at 19:32
  • I'm not sure... Coming back to your initial problem: (1) do you get this working when you retrieve this `` document using AJAX, or only when you point the browser directly at it? (2) Where is your own XSD file on the server, and what tries to get it? Why would you get it at all? (Do you even really need validation, is it worth the hassle?) – Bruno Jul 25 '13 at 19:38
  • (1) -> Yes, it works. (2) -> I added a snapshot of my workspace to the question. It works with the web client, so it isn't a functional problem. But this is a part of my security related project work, hence it would be good to find out how to solve this. Otherwise I will just write some lines about this into the project documentation. – My-Name-Is Jul 25 '13 at 19:55

0 Answers0