One of the clients that I’m working for discovered a problem with a SOAP web service querying an LDAP. The service could contain a ‘*’ in plain text in possibly different fields in the message. When the service is called it uses the ‘*’ as a wildcard. The system should handle the ‘*’ as plain text so we need to escape the character with ‘2a’ (escape for a LDAP filter query). So they looked in complete web service chain where the least impact was. They decided that an update in the DataPower configuration was the best option.This is a small message example, but the ‘*’ can occur in couple different WSDL operations and in different fields.

<soap:Envelope xmlns:soap="" xmlns:tem="">   

I immediately thought to use the function str:replace(). But unfortunately it is not supported in Datapower, which brought me to XQuery, as an alternative for XSLT. So this is the solution that I developed.Because the replacement is only necessary for 3 operations from the WSDL I defined the policy-rule on WSDL operation level.

Below the XQuery code used to replace the ‘*’ into ‘2’a. The XQuery can be extended to handle other values that need to be escaped for example:  ( ) / NUL

xquery version “1.0”;
declare namespace local = “”;
declare functionlocal:copy-replace($element as element()) {
  element {node-name($element)}
                for $child in $element/node()
                return if ($child instance of element())
                       else replace($child,‘*’,‘\2a’)

The total number of requests that have a ‘*’ or other wildcards in the username is limited. To improve the performance I adapted the standard SQL-injection filter to search for ‘*’ and output the number of hits. This way when the hit count is 0 I can skip the XQuery transform action.

Author: Kim