You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Thomas Monninger (Jira)" <ji...@apache.org> on 2020/09/18 10:59:00 UTC
[jira] [Commented] (CXF-8325) Schema validation allows invalid SOAP
header
[ https://issues.apache.org/jira/browse/CXF-8325?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17198288#comment-17198288 ]
Thomas Monninger commented on CXF-8325:
---------------------------------------
Hi Freeman,
Sorry for the long pause. It took me a while to come up with the right components. So to simulate the whole problem follow these steps:
# Clone this example project from [GitHub|https://github.com/briansjavablog/boot-cxf-soap-demo]
# In {{Application.config#36}} add the following line to enable schema validation
{code:java}
cxfBus.getProperties().put(SCHEMA_VALIDATION_ENABLED, true);
{code}
# Generate the sources with maven
{code:java}
mvn generate-sources{code}
# Run the spring boot app
{code:java}
mvn spring-boot:run{code}
# Perform this POST request on {{http://localhost:8090/soap-api/service/accounts}}
{code:xml}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header></soap:Header>
<soap:Body>
<AccountDetailsRequest xmlns="http://com/blog/demo/webservices/accountservice">
<accountNumber>12345</accountNumber>
</AccountDetailsRequest>
</soap:Body>
</soap:Envelope>
{code}
This works as expected (the request matches the schema)
# Now perform this POST request
{code:xml}
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/soap/envelope/ http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<soap:Body>
<AccountDetailsRequest xmlns="http://com/blog/demo/webservices/accountservice">
<accountNumber>12345</accountNumber>
</AccountDetailsRequest>
</soap:Body>
</soap:Header>
</soap:Envelope>
{code}
This shouldn't work as the request does not match the schema. But it works just fine. There is no error in the validation.
# To validate the request {{Envelope}} against the [schema|http://schemas.xmlsoap.org/soap/envelope] I used this tool from [GitHub|https://github.com/amouat/xsd-validator] which states the first request as valid and the second one as invalid (as expected)
Isn't schema validation enabled in CXF by the way I did it (see step #2) or does schema validation not work the way it should?
> Schema validation allows invalid SOAP header
> --------------------------------------------
>
> Key: CXF-8325
> URL: https://issues.apache.org/jira/browse/CXF-8325
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.3.7
> Reporter: Thomas Monninger
> Assignee: Freeman Yue Fang
> Priority: Major
>
> Hi,
> In our environment we have a SOAP request similar to the following:
> {code:xml}
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:v1="http://some.name.space/v1.1">
> <soap:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">*Security Header*</wsse:Security>
> <soap:Body>
> <v1:Method></v1:Method>
> </soap:Body>
> </soap:Header>
> </soap:Envelope>
> {code}
> As you can see the {{soap:Body}} is part of the {{soap:Header}} which, according to the SOAP XML Schema, is not a valid construct.
> Schema-validation is turned on but no error occurrs. The body part is even treated as a valid body.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)