• Post Reply Bookmark Topic Watch Topic
  • New Topic

Axis stubs not validating properly  RSS feed

 
Jim Janssens
Ranch Hand
Posts: 210
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When I generate an axis stub with wsdl2java, the stubs uses apache XML beans (or something like that) by default to convert XML to java and the other way around. As far as I'm concerned, the stubs seem to perform validation of the XML before sending it.

In the beginning I tested this by leaving a parameter empty (that is explicitly required in the WSDL) I get a XML validation error and the message is never send. I also tested other cases, in which I send an invalid pattern for a String element. Also, in that case I got a nice validation exception telling that the pattern is wrong and the request is never send. Good.

However, lately I added a (mandatory) attribute to the schema, but I forgot to re-generate the stub. I would expect that the stub would (as in the case above) fail to send the XML since there is a mandatory attribute absend. However, the stub did NOT complain about the attribute being absent, and simply sended the XML (on which the webservice skeleton replied with an error that a mandatory attribute is not present).

Is this a flaw in the validation mechanism ? Should I use proper DOM/SAX XML validation techniques rather then depending on the generated stubs ?


The type of webservice is a document/literal which uses a XML schema for in and output (the schema is included in the WSDL). Axis version (and wsdl2java) is 1.4.

Thanks
 
Peer Reynders
Bartender
Posts: 2968
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jim Janssens:
Also, in that case I got a nice validation exception telling that the pattern is wrong and the request is never send. Good.

Is it?
Why should you ever let a situation arise in a production system where the outgoing XML could be invalid? For security reasons you should be validating incoming data originating from a source that you have no control over. If the data is coming from a reliable source you could even dispense with validation of incoming data. Validation of outgoing XML data puts unnecessary strain on the infrastructure and inflates overall response times. Apart from the fact that you should detect a problem at a level where you can deal with it gracefully - by the time something is converted to XML it's probably too late to recover gracefully and all you can do is log the exception.
Now it might make sense to turn validation on during development (and possibly testing) to detect occasions where illegal data slips by the usual defenses but hopefully things should never get that far.

Anyway, apparently Axis doesn't currently support request/response validation. See:
Schema Validation (WAS: [axis2] Validating Messages :: WSDL :: <choice> )

You can always implement a JAX-RPC/SOAP handler that can be used by either the stub or the endpoint to do the validation.
[ October 17, 2006: Message edited by: Peer Reynders ]
 
Jim Janssens
Ranch Hand
Posts: 210
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well the fact that outgoing XML validation is necesary in a production environment is a total different discussion, and it totally a subjective matter. Anyway, I totally agree with this Derek guy in the mailing list

- That the lack of good (and easy configurable) XML validation in Axis is a shame
- That you should be able to turn it off and on easy
- That (in te best case) you must be able to select a degree of validation

So, it seems that Axis does not support XML validation by default. I will have to construct something myself then.
 
Peer Reynders
Bartender
Posts: 2968
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Jim Janssens:
it totally a subjective matter.


It's not that subjective. Of course, there are always exceptions to the rule.
4.5.4 Reduce Validation Cost
Not only is it important, but validation may be required to guarantee the reliability of an XML application. An application may legitimately rely on the parser's validation so that it can avoid double-checking the validity of document contents. Validation is an important step of XML processing, but keep in mind that it may affect performance.

Consider the trusted and reliable system depicted in Figure 4.14. This system is composed of two loosely coupled applications. The front-end application receives XML documents as part of requests and forwards these documents to the reservation engine application, which is implemented as a document-centric workflow.

Although you must validate external incoming XML documents, you can exchange freely--that is, without validation--internal XML documents or already validated external XML documents. In short, you need to validate only at the system boundaries, and you may use validation internally only as an assertion mechanism during development. You may turn validation off when in production and looking for optimal performance.

Originally posted by Jim Janssens:
- That the lack of good (and easy configurable) XML validation in Axis is a shame
- That you should be able to turn it off and on easy
- That (in te best case) you must be able to select a degree of validation.


There an easy solution to that - join the Axis team and add the functionality.
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!