Ask the Expert

Application servers processing SOAP requests

When an application server gets a SOAP request, what namespaces/schemas does it use to parse it? Does it rely on SOAP message data or WSDL?

    Requires Free Membership to View

The exact process by which the application server processes the SOAP request is dependent on the server in question. I don't know of any SOAP servers, though, that use WSDL at runtime to process requests. WSDL doesn't provide the information that a server needs to know to process requests. WSDL is used on the client side, as described below.

Typically, when you deploy the service you supply a configuration file that tells the server how to process requests sent to the service. The configuration file indicates information such as:

  • which methods should be invoked in what sequence to process SOAP header entries and to perform other system-level functions, such as authentication, authorization, auditing, logging, decryption, decompression, etc.
  • a WSDL operation name maps to an object method name
  • an XML type maps to a class using a particular set of serializers and deserializers

None of this configuration information is dynamic in nature.

Rogue schemas could pose a more serious threat than rogue WSDLs. If you indicate that you want to validate an incoming request, then the server loads the schema at runtime and uses it for validation. The validation process is often not under the direct control of the SOAP server; it's typically performed by a "handler" -- often written by a developer. You should establish policies within your organization to prevent use of "wild" schemas for validation.

Many client-side SOAP toolkits use WSDL at runtime to support dynamic binding and dynamic invocation. If you view this practice as too strong a security threat, then you should be able to disable dynamic processing and force clients to use only precompiled stubs.

This was first published in July 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: