Filtering SOAP requests - do I understand this correctly?
Hi, I've got a policy with an XML content profile that validates requests against the schema and blocks invalid requests to unapproved methods. So far so good.
For permitted methods, I want to inspect specific XML elements and permit or deny access based on their text data.
I was hoping I'd be able to set up this element-level access control within the content profile, but discovered that does not appear to be the case.
I thought maybe I could define an XML element from the SOAP request body as a "parameter". I tried various things in tightening and with wildcard URL parameters and extractions (using xpath) but I'm starting to think an XML element can not be defined as a "parameter". Can anyone confirm this?
If I could define the XML element as a parameter, and I know the acceptable values, I was thinking I could define the static list of acceptable element text in the parameter definition. Barring that, I could use the extracted parameter in a custom attack signature and assign it to the content profile.
Is there another way within ASM to filter on the text values of specific XML elements?
If parameters are in fact the right approach to this, how can I debug my process because the combination of parameter definition, and extraction definition, and the limited xpath syntax seem to be conspiring against me.
Thank you.