Filtering SOAP requests - do I understand this correctly?

Question

Hi, I've got a policy with an XML content profile that validates requests against the schema and blocks invalid requests to unapproved methods.  So far so good.&nbsp;
For permitted methods, I want to inspect specific XML elements and permit or deny access based on their text data.&nbsp;
I was hoping I'd be able to set up this element-level access control within the content profile, but discovered that does not appear to be the case.&nbsp;
I thought maybe I could define an XML element from the SOAP request body as a "parameter".  I tried various things in tightening and with wildcard URL parameters and extractions (using xpath) but I'm starting to think an XML element can not be defined as a "parameter".  Can anyone confirm this?&nbsp;
If I could define the XML element as a parameter, and I know the acceptable values, I was thinking I could define the static list of acceptable element text in the parameter definition.  Barring that, I could use the extracted parameter in a custom attack signature and assign it to the content profile.&nbsp;
Is there another way within ASM to filter on the text values of specific XML elements?&nbsp;
If parameters are in fact the right approach to this, how can I debug my process because the combination of parameter definition, and extraction definition, and the limited xpath syntax seem to be conspiring against me.&nbsp;
Thank you.&nbsp;
 &nbsp;

torti · Answer

Hi, 
&nbsp;  
&nbsp; you are on the wrong way. You don't have to configure parameters for soap web services. That doesn't work. 
&nbsp; The rules for the xml elements are based on the schema files. If there doesn't exists specific rules, every string is allowed.  
&nbsp; If there are restrictions for an element, you will get the message "XML data does not comply with schema or WSDL document" with the description "Malformed document - schema validation failed Invalid element value" and the request will be blocked, if the request isn't valid. 
&nbsp; So, you do not define the rules on ASM side. The developer of the web service have to define, what is allowed and what is forbitten. 
&nbsp;  
&nbsp; You only have to define a paramter, if it is allowed to request the schema files (xsd or wsdl) via the same url. But this hasn't anything todo with the soap requests. 
&nbsp;  
&nbsp; regards

mike_ho · Answer

Thank you for the reply.  I was going to pursue XML routing via iRules but instead I simply edited the relevant XSD before uploading it to remove the certain bits I didn't want to pass through the policy and that met my needs.

Forum Discussion

Filtering SOAP requests - do I understand this correctly?

2 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Understanding iApps

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

Understanding Modern Application Architecture - Part 1

Understanding Performance Metrics and Network Traffic