One of the clients that I’m working for discovered a problem with a SOAP web service querying an LDAP. The service could contain a ‘*’ in plain text in possibly different fields in the message. When the service is called it uses the ‘*’ as a wildcard. The system should handle the ‘*’ as plain text so we need to escape the character with ‘2a’ (escape for a LDAP filter query). So they looked in complete web service chain where the least impact was. They decided that an update in the DataPower configuration was the best option.This is a small message example, but the ‘*’ can occur in couple different WSDL operations and in different fields.
|
1 2 3 4 5 6 7 8 |
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/"> <soap:Header/> <soap:Body> <tem:FindUser> <tem:UserName>KMe_*</tem:UserName> </tem:FindUser> </soap:Body> </soap:Envelope> |
I immediately thought to use the function str:replace(). But unfortunately it is not supported in Datapower, which brought me to XQuery, as an alternative for XSLT. So this is the solution that I developed.Because the replacement is only necessary for 3 operations from the WSDL I defined the policy-rule on WSDL operation level.
Below the XQuery code used to replace the ‘*’ into ‘2’a. The XQuery can be extended to handle other values that need to be escaped for example: ( ) / NUL
|
1 2 3 4 5 6 7 8 9 10 11 12 |
xquery version “1.0”; declare namespace local = “http://example.org”; declare functionlocal:copy-replace($element as element()) { element {node-name($element)} {$element/@*, for $child in $element/node() return if ($child instance of element()) thenlocal:copy-replace($child) else replace($child,‘*’,‘\2a’) } }; local:copy-replace(/*) |
The total number of requests that have a ‘*’ or other wildcards in the username is limited. To improve the performance I adapted the standard SQL-injection filter to search for ‘*’ and output the number of hits. This way when the hit count is 0 I can skip the XQuery transform action.
Author: Kim
