There was a great article on MSDN a while back (years at this point) that showed the creation of a SOAP extension that would verify incoming requests against a schema, something .NET does not support out of the box (even in 2.0). Additionally there was quasi support for schematron via Assert attributes. This allows for a very powerful input validation of web services.
This is a project to provide continued support for this extension. There have been some updates to the original code, including moving to the .NET Framework v2.0.
The original article is available here.
To add in XML schema validation we must parse the soap packet ourselves. This of course will incur an additional performance hit outside of simply turning on validation. Unfortunately there is no method (that I'm aware of) to enable schema validation in .NET currently.
- Assembly, documentation, samples
- Source, documentation, samples
The latest code is now being maintained in a Google Code repository.
Download the installer and run. Easy :)
Report bugs to Michael Eddington @ meddington@phed.org.
Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later.
There are two methods for using the validator. First you can force all web methods to be validated using the web.config file. Second you can mark methods using [Validation] attribute.
[Validation]
Mark web method for validation against schemas
[ValidationSchemaFolder(string relativeFolder)]
Used to add folders that contain schemas to load and cache. This attribute is only valid for classes. The relativeFolder parameter is relative to the vroot.
- relativeFolder -- Folder of schemas to load and cache. Relative to the virtual root (vroot).
[ValidationSchema(string schemaFile)]
Used to add schema files to load and cache. This attribute is only valid for classes. The schemaFile parameter is relative to the vroot.
- schemaFile -- Schema file to load. Relative to the virtual root (vroot).
[Assert(string rule)] [Assert(string rule, string description)]
Used to add an XPath validation expression to a web method. The XPath expression must evaluate to true.
- rule -- XPath validation expression. Must evaluate to true.
- description -- [optional] Description of assertion rule.
[AssertNamespaceBinding(string prefix, string ns)]
Specifies namespace bindings used by assert xpath's.
- prefix -- namespace prefix
- ns -- namespace to map to
First two extensions must be registered by adding the following inside of the node:
<soapExtensionReflectorTypes>
<add type="SoapValidation.ValidationExtensionReflector, SoapValidation"/>
</soapExtensionReflectorTypes>
<serviceDescriptionFormatExtensionTypes>
<add type="SoapValidation.ValidationFormatExtension, SoapValidation"/>
</serviceDescriptionFormatExtensionTypes>
Next, POST and GET protocols must be disabled by adding the following inside of the node:
<protocols>
<remove name="HttpPost" />
<remove name="HttpGet" />
</protocols>
Finally, if you want to force all web methods to be validated with out using the [Validation] attribute add the following inside of the node:
<soapExtensionTypes>
<add type="SoapValidation.ValidationExtension, SoapValidation" priority="1" group="0" />
</soapExtensionTypes>
Here is a basic example that will cause validation to be run:
[WebService(Namespace="<a href="http://example.org/geometry")]public">http://example.org/geometry")]
public</a> class SimpleTests : System.Web.Services.WebService
{
[WebMethod]
[Validation]
public double CalcArea2(double length, double width)
{
return length * width;
}
}
Here is an example of using assertions to verify business rules in a way schema's fall short.
[AssertNamespaceBinding("t", "<a href="http://example.org/geometry")]">http://example.org/geometry")]</a>
[WebService(Namespace="<a href="http://example.org/geometry")]">http://example.org/geometry")]</a>
public class SimpleTests : System.Web.Services.WebService
{
[WebMethod]
[Validation]
[Assert("(//t:length * //t:width) > 100", "Area must be greater than 100")]
[Assert("(//t:length div //t:width) = 2", "Length must be exactly twice width")]
public double CalcArea2(double length, double width)
{
return length * width;
}
}
Leviathan Security Group, Inc.
Category:OWASP .NET Project Category:OWASP Download Category:OWASP Tool Category:OWASP Validation Project