0

I'm walking through the following tutorial:

http://jeromebulanadi.wordpress.com/2010/02/25/basic-spring-web-service-tutorial-from-contract-to-security/

and I faced a problem. I don't know whether it's an expected outcome or some kind of a bug.

It's about the behaviur of the PayloadValidatingInterceptor. It validates well all elements described in the XSD, but it also allows elements not defined in the XSD to be in the payload.

For example, <sch:XXXYYYZZZ/> is mentioned nowhere in the XSD and the following request returns an error (and it's perfectly expected):

<soapenv:Envelope
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:sch="http://springwebapp.example.com/webservices/person/schema">

   <soapenv:Header/>
   <soapenv:Body>
      <sch:GetAllPersonsRequest>
        <sch:XXXYYYZZZ/>
      </sch:GetAllPersonsRequest>
   </soapenv:Body>
</soapenv:Envelope>

And I get the following reply (as expected):

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
   <SOAP-ENV:Header/>
   <SOAP-ENV:Body>
      <SOAP-ENV:Fault>
         <faultcode>SOAP-ENV:Client</faultcode>
         <faultstring xml:lang="en">Validation error</faultstring>
         <detail>
            <spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">cvc-complex-type.2.1: Element 'sch:GetAllPersonsRequest' must have no character or element information item [children], because the type's content type is empty.</spring-ws:ValidationError>
         </detail>
      </SOAP-ENV:Fault>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

But I don't know why an element not defined in the schema is allowed to be in the BODY element. The following doesn't return an error and is positively validated:

<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:sch="http://springwebapp.example.com/webservices/person/schema">
   <soapenv:Header/>
   <soapenv:Body>
      <sch:GetAllPersonsRequest/>
      <sch:XXXYYYZZZ/>
   </soapenv:Body>
</soapenv:Envelope>

Here is an excerpt from ws-context.xml where the validator is defined:

<bean id="validatingInterceptor" class="org.springframework.ws.soap.server.endpoint.interceptor.PayloadValidatingInterceptor">
    <property name="xsdSchema" ref="schema" />
    <property name="validateRequest" value="true" />
    <property name="validateResponse" value="true" />
</bean>
Andreas Veithen
  • 8,868
  • 3
  • 25
  • 28
Protechnologia.pl
  • 179
  • 3
  • 12

1 Answers1

0

That is by design. As the name implies, PayloadValidatingInterceptor validates the message payload. In the case of a SOAP message, Spring-WS defines the payload as the first child element of the soapenv:Body element, i.e. sch:GetAllPersonsRequest in your case. Therefore, the validator will not even see the sch:XXXYYYZZZ element.

If you really want to detect that type of invalid requests, here is one option you have:

  • Implement your own interceptor that extends AbstractFaultCreatingValidatingInterceptor, but that extracts the SOAP envelope instead of the payload.
  • Import the SOAP 1.1 schema into your project and add it to the configuration of your custom interceptor together with your own schema.

Note that this will not catch elements in namespaces for which no schema has been provided. To trigger a validation error in these cases as well, you need to adjust the processContents attribute in the SOAP 1.1 schema.

Andreas Veithen
  • 8,868
  • 3
  • 25
  • 28