I'm building a contract-first SOAP web service with spring-ws 2.2.3. My XML Schema uses extensions, leading to xsi:type= attributes in the XML requests. Since some respones can be very large (30MB), I'm using a AxiomSoapMessageFactory instead of the default SaajSoapMessageFactory, as suggested in the Spring WS docs. I validate incoming requests with a PayloadValidatingInterceptor:
PayloadValidatingInterceptor interceptor = new PayloadValidatingInterceptor();
interceptor.setSchema(new ClassPathResource("format-service.xsd"));
interceptor.setValidateRequest(true);
interceptor.setValidateResponse(false);
My problem is that I get spurious validation errors, depending on where in the XML the namespace is declared: if it's declared in the payload, then everything works fine:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" >
<soapenv:Header/>
<soapenv:Body>
<sch:formatRequest xmlns:sch="http://example.com/springws/extension/schema">
<sch:value xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="sch:currencyType">
<sch:amount>1000</sch:amount>
<sch:currency>EUR</sch:currency>
</sch:value>
</sch:formatRequest>
</soapenv:Body>
</soapenv:Envelope>
But as soon as I move the sch namespace declaration up to the Envelope:
<soapenv:Envelope xmlns:sch="http://example.com/springws/extension/schema" ...>
validation fails and I receive a SOAP Fault:
<faultcode>soapenv:Client</faultcode>
<faultstring xml:lang="en">Validation error</faultstring>
<detail>
<spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">UndeclaredPrefix: Cannot resolve 'sch:currencyType' as a QName: the prefix 'sch' is not declared.</spring-ws:ValidationError>
<spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">cvc-elt.4.1: The value 'sch:currencyType' of attribute 'http://www.w3.org/2001/XMLSchema-instance,type' of element 'sch:value' is not a valid QName.</spring-ws:ValidationError>
<spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">cvc-type.2: The type definition cannot be abstract for element sch:value.</spring-ws:ValidationError>
<spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">UndeclaredPrefix: Cannot resolve 'sch:currencyType' as a QName: the prefix 'sch' is not declared.</spring-ws:ValidationError>
<spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">cvc-attribute.3: The value 'sch:currencyType' of attribute 'xsi:type' on element 'sch:value' is not valid with respect to its type, 'QName'.</spring-ws:ValidationError>
<spring-ws:ValidationError xmlns:spring-ws="http://springframework.org/spring-ws">cvc-complex-type.2.1: Element 'sch:value' must have no character or element information item [children], because the type's content type is empty.</spring-ws:ValidationError>
</detail>
It appears like a bug in the AxiomSoapMessageFactory / Axiom implementation to me (namespace context is lost), as both requests validate fine when using the SaajSoapMessageFactory. Note that the validation only fails on the xsi:type= attribute. The same namespace is recognized correctly for elements.
I cannot use SaajSoapMessageFactory due to high memory consumption for large responses. I found similar problems described in the Spring forum and on SO, but no solution. Thanks for help!
The reason is that Spring-WS uses OMContainer#getXMLStreamReader(). Instead it should use OMContainer#getXMLStreamReader(boolean, OMXMLStreamReaderConfiguration) and set the preserveNamespaceContext property to true in the OMXMLStreamReaderConfiguration object.
You should file a bug for Spring-WS, or even better, fix the issue and submit a pull request.
Related
I have a custom ServiceAuthorizationManager implemented in wcf webhttp service to do api key verification. It sends a webfaultexception with the code 403 if the key is invalid.
But the issue is, when the exception is thrown, it s always send to the client as xml.
The service accepts both JSON and XML and it s working fine for all the other operations except for the exception from the manager.
No matter if I set the accept header or content type the result is always xml. But for other requests, the response type switches perfectly according to the content-type header
Here's the web.config
<standardEndpoint name="" helpEnabled="true" automaticFormatSelectionEnabled="true" />
Any help is really appriciated.
If anyone else ran into this issue: looks like no way to fix it. The solution I did was to do the verification in the service's constructor. Make sure the instance context mode is set to per call.
More info http://amilagm.com/2012/04/better-way-to-do-api-key-verification-in-wcf-webhttp-services/
JAX-RS offers a wonderful way to specify content types in #Produces, and the framework will automatically determine the best content type from the client's HTTP Accept header and, wonder of wonders, even convert your object to that type (e.g. XML using JAXB or JSON using Jackson) when returning information to the caller.
My (work) client, as clients often do, made a simple job more difficult by requesting I specify the content type by the extension in the URL, e.g. api/widgets.json. This would force me to have various getWidgetsXXX() methods, one with #Produces("application/json"), another with #Produces("application/xml"), etc.
But I'm using Apache CXF and I was delighted to find that I could configure CXF to map various extensions to content types using the jaxrs.extensions init parameter!
<!-- registers extension mappings -->
<init-param>
<param-name>jaxrs.extensions</param-name>
<param-value>
xml=application/xml
json=application/json
</param-value>
</init-param>
But I can find absolutely no documentation on how this works in the real world. I naively thought I could just annotate a method with a path with an extension and it would mimic the Accepts header:
#Path("/widgets.{extension}")
#GET
#Produces({ "application/json", "application/xml" })
public List<Widget> getWidgets();
So I call it using api/widgets.json, and it returns XML! Which is particularly odd, because JAX-RS specifies that the default content type is the first one listed.
Where can I find out how to use CXF extension content type mapping?
P.S. I am not using Spring.
Adding the following in your <jaxrs:server> works:
<jaxrs:extensionMappings>
<entry key="json" value="application/json" />
<entry key="xml" value="application/xml" />
</jaxrs:extensionMappings>
Source: http://cxf.apache.org/docs/jax-rs.html#JAX-RS-Debugging
Don't know whether that help you or not but I was also facing the same issue to introduce something like that in my JAX-RS services. I achieved this functionality using JAX-RS_Content_Negotiation Following location has details about it.
https://docs.jboss.org/resteasy/docs/3.0.6.Final/userguide/html/JAX-RS_Content_Negotiation.html
You just have to map your media types with the values which you want
<context-param>
<param-name>resteasy.media.type.mappings</param-name>
<param-value>
html : text/html, json : application/json, xml :
application/xml
</param-value>
</context-param>
#GET
#Path("/second/{param}")
#Produces({MediaType.APPLICATION_JSON,MediaType.APPLICATION_XML})
public Response printStudent(#PathParam("param") String msg) {
}
now i can access my services like that and response is according the extension which i put at the end
http://localhost:8080/RESTfulExample/rest/message/second/bill.json
you can put .xml OR .json at the end of the url and service will generate response accordingly.
In your situation, I'd declare that the method #Produces the content type */* (i.e., a full wildcard) and then do the content negotiation myself. You'd probably be looking at a method signature like this:
#javax.ws.rs.GET
#javax.ws.rs.Path("{filename}")
#javax.ws.rs.Produces("*/*")
javax.ws.rs.core.Response getDirectoryOrFileContents(
#javax.ws.rs.PathParam("filename") String filename,
#javax.ws.rs.core.Context javax.ws.rs.core.HttpHeaders headers);
That gives you access to both the desired filename — one way to guess the media type to deliver — and the full set of HTTP headers (hint: use headers.getAcceptableMediaTypes()), which give the other way. How to balance the two is likely to be “interesting”. (The code I've got to do it is very specific to my app's internal model, so isn't likely to be useful to you.) You then return the result by constructing a Response, which gives you quite close control over what the client gets back.
Yes, this is more work than letting CXF handle all this for you (it normally generates a lot of boilerplate to do all of this stuff) but in a complex case you'll be glad of the control.
The extension mimics the Accept header as you guessed. However you must not declare the extenstion in the #Path annotation:
#Path("/widgets")
#GET
#Produces({ "application/json", "application/xml" })
public List<Widget> getWidgets();
You can then call widgets.xml or widgets.json
Trying to call a SAP SOAP Web Service from a generated sudzc app shows errors I don't know:
SudzCExamples[5192:f803] <?xml version="1.0" encoding="utf-8"?><soap:Envelope
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns="urn:sap-
com:document:sap:soap:functions:mc-style"><soap:Body><ZComUrlGetrecords>
<IYear>2012</IYear></ZComUrlGetrecords></soap:Body></soap:Envelope>
SudzCExamples[5192:f803] <soap-env:Envelope xmlns:soap-
env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header></soap-env:Header><soap-
env:Body><soap-env:Fault><faultcode>soap-env:Server</faultcode><faultstring
xml:lang="en">CX_ST_MATCH_ELEMENT:XSLT exception.System expected element
'IYear'</faultstring><detail><ns:SystemFault
xmlns:ns="http://www.sap.com/webas/710/soap/runtime/abap/fault/system/">
<Host>undefined</Host><Component>APPL</Component><ChainedException>
<Exception_Name>CX_SOAP_CORE</Exception_Name><Exception_Text>CX_ST_MATCH_ELEMENT:XSLT
exception.System expected element 'IYear'</Exception_Text></ChainedException>
<ChainedException><Exception_Name>CX_SXMLP</Exception_Name><Exception_Text>XSLT
exception</Exception_Text></ChainedException><ChainedException>
<Exception_Name>CX_ST_MATCH_ELEMENT</Exception_Name><Exception_Text>System expected
element 'IYear': Main Program:/1BCDWB/WSS825E06E4DEC40F9171D|
Program:/1BCDWB/WSS825E06E4DEC40F9171D| Line: 18| Valid:X</Exception_Text>
</ChainedException></ns:SystemFault></detail></soap-env:Fault></soap-env:Body></soap-
env:Envelope>
2012-03-11 20:09:30.631 SudzCExamples[5192:f803] soap-env:Server CX_ST_MATCH_ELEMENT:XSLT
exception.System expected element 'IYear'
(null)
The strange thing is that it seems as if the request has the IYear element. Can someone tell me where to search the problem?
I ran into this same problem yesterday and discovered the solution after some experimentation. First thing I did was use my SoapUI client to make the request successfully. SoapUI comes with a free trial and even if you do not use the free trial you can still use it to make accesses to the web service without registering it. I used the xml from the successful request I made to compare against the request that SudzC was making. They differ in several ways, and the way that SudzC forms the request is not sufficient.
My suggestion to you is to compare the two requests and change SudzC's request to match the SoapUI request. You can do this by editing the Soap source code that SudzC gives to you, this source code is found particularly in the Soap.m file in the createEnvelope function.
Also, if your requests have an empty header SudzC does not include the header part of the request. Hard code in an empty header after the namespace portion of the envelope. Doing all this fixed this exact issue for me.
I am attempting to consume a web service using Delphi 2010 and Indy. To establish a usable SOAP stream to compare to the one created by my program, I am testing in SOAPUI. I am using a SOAP stream provided by the web service provider which also matches the SOAP stream specified in the WSDL file. I am getting an HTTP 400 (bad request) error from the service.
From what I can find online, it appears that receiving an HTTP 400 error indicates that your SOAP request is malformed and can not be read by the web service. I have tested my SOAP stream using XMLPad and the XML seems to be well formed. I suppose this may mean that something does not match its schema requirement. I will first check the schema description for the password in case that is expected to not be sent as plain text. What else should I be checking to eliminate an HTTP 400 error?
Here is my request (less username and password) in case it helps:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://wwww3.org/2001/XMLSchema-instance">
<soap:Header>
<wsa:Action>http://edd.ca.gov/SendTransmission</wsa:Action>
<wsa:MessageID>urn:uuid:5aa788dc-86e1-448b-b085-2d2743cf9f26</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://fsettestversion.edd.ca.gov/fsetproxy/fsetservice.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsse:UsernameToken wsu:Id="UsernameToken">
<wsse:Username>#USERNAME#</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">#PASSWORD#/wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">O5QWht1bslLCX6KnlEypAA==</wsse:Nonce>
<wsu:Created>2012-02-29T22:32:38.250Z</wsu:Created>
</wsse:UsernameToken>
<wsu:Timestamp wsu:Id="Timestamp-805a7373-335c-43b6-ba21-6596c4848dbf">
<wsu:Created>2012-02-22T15:41:42Z</wsu:Created>
<wsu:Expires>2012-02-22T15:46:42Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<SendTransmission xmlns="http://edd.ca.gov/">
<SendTransmissionRequest xmlns="http://www.irs.gov/a2a/mef/MeFTransmitterServiceWse.xsd">
<TransmissionDataList>
<Count>1</Count>
<TransmissionData>
<TransmissionId>123456789</TransmissionId>
<ElectronicPostmark>2012-02-22T07:41:42.2502206-08:00</ElectronicPostmark>
</TransmissionData>
</TransmissionDataList>
</SendTransmissionRequest>
<fileBytes>
<xop:Include href="cid:1.634654933022658454#example.org"/>
</fileBytes>
</SendTransmission>
</soap:Body>
</soap:Envelope>
There may be something else, but at the moment, I am suspicious of the wsse:UsernameToken. I downloaded the document at http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0.pdf and read it last night. It's written in fairly plain language and I feel like I understand what it is saying but it leaves me with a smaller question than the one I asked originally. This document proposes that you can use a plain text password in this format:
<S11:Envelope xmlns:S11="..." xmlns:wsse="...">
<S11:Header>
...
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>Zoe</wsse:Username>
<wsse:Password>IloveDogs</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
...
</S11:Header>
...
</S11:Envelope>
Or you can use a password digest. It defines a password digest like this:
Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) )
According to the reference, the format for a password digest would look like this:
<S11:Envelope xmlns:S11="..." xmlns:wsse="..." xmlns:wsu= "...">
<S11:Header>
...
<wsse:Security>
<wsse:UsernameToken>
<wsse:Username>NNK</wsse:Username>
<wsse:Password Type="...#PasswordDigest">
weYI3nXd8LjMNVksCKFV8t3rgHh3Rw==
</wsse:Password>
<wsse:Nonce>WScqanjCEAC4mQoBE07sAQ==</wsse:Nonce>
<wsu:Created>2003-07-16T01:24:32Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
...
</S11:Header>
...
</S11:Envelope>
This is not the format used in the example provided by the web service publisher. The plain text version in the reference does not use a nonce. The example message uses a nonce but calls for a plain text password. It appears to me that the use of a nonce without a password digest does not add any security to the message. It could be any random string of characters if there is no agreement for how it is to be created. Am I missing the point?
I know this must seem like a tedious undertaking, but I am hoping that by providing this here, maybe we can provide a little help to the next person coming along.
I too have come across this issue. The web service publisher (edd.ca.gov) responded by stating that the " value is required by the SOAP 1.2 standards" yet I find no valid support for that. It looks like we both are heading down the same path (FSET) and maybe we should team up and work together, two heads are better than one. I have found many mistakes within the example code and I too have yet get it to work.
SoapUI project created by using WSDL.. with definitions for Faults with complex types
<xsd:element name="Fault" type="FaultType">
<xsd:annotation>
<xsd:documentation> </xsd:documentation>
</xsd:annotation>
</xsd:element>
In Mock Response edit window, when I create a Fault response, it prompts to choose the fault name "fault" which is defined in the WSDL...
and it generates following soap fault message
<faultcode>?</faultcode>
<faultstring xml:lang=""></faultstring>
<!--Optional:-->
<faultactor>?</faultactor>
<!--Optional:-->
<detail>
<com:Fault/>
<!--You may enter ANY elements at this point-->
</detail>
</soapenv:Fault>
i was expecting the complex elements as defined in schema in this response ...
did i miss something? or do i need to manually recreate this fault response
Kind Regards,
carya
This is a little dated, but:
<xsd:annotation>
<xsd:documentation> </xsd:documentation>
</xsd:annotation>
Those are part of the specification as comments. There are tools that can parse the WSDL and show those to you as documentation for the WSDL; SoapUI is not one of those tools.
They are certainly not meant to be part of the message payload. What you are seeing is working as expected! You can have a read through the official docs.