When I generate an axis stub with wsdl2java, the stubs uses apache XML beans (or something like that) by default to convert XML to java and the other way around. As far as I'm concerned, the stubs seem to perform validation of the XML before sending it.
In the beginning I tested this by leaving a parameter empty (that is explicitly required in the WSDL) I get a XML validation error and the message is never send. I also tested other cases, in which I send an invalid pattern for a String element. Also, in that case I got a nice validation exception telling that the pattern is wrong and the request is never send. Good.
However, lately I added a (mandatory) attribute to the schema, but I forgot to re-generate the stub. I would expect that the stub would (as in the case above) fail to send the XML since there is a mandatory attribute absend. However, the stub did NOT complain about the attribute being absent, and simply sended the XML (on which the webservice skeleton replied with an error that a mandatory attribute is not present).
Is this a flaw in the validation mechanism ? Should I use proper DOM/SAX XML validation techniques rather then depending on the generated stubs ?
The type of webservice is a document/literal which uses a XML schema for in and output (the schema is included in the WSDL). Axis version (and wsdl2java) is 1.4.
Joined: Aug 19, 2005
Originally posted by Jim Janssens: Also, in that case I got a nice validation exception telling that the pattern is wrong and the request is never send. Good.
Is it? Why should you ever let a situation arise in a production system where the outgoing XML could be invalid? For security reasons you should be validating incoming data originating from a source that you have no control over. If the data is coming from a reliable source you could even dispense with validation of incoming data. Validation of outgoing XML data puts unnecessary strain on the infrastructure and inflates overall response times. Apart from the fact that you should detect a problem at a level where you can deal with it gracefully - by the time something is converted to XML it's probably too late to recover gracefully and all you can do is log the exception. Now it might make sense to turn validation on during development (and possibly testing) to detect occasions where illegal data slips by the usual defenses but hopefully things should never get that far.
Well the fact that outgoing XML validation is necesary in a production environment is a total different discussion, and it totally a subjective matter. Anyway, I totally agree with this Derek guy in the mailing list
- That the lack of good (and easy configurable) XML validation in Axis is a shame - That you should be able to turn it off and on easy - That (in te best case) you must be able to select a degree of validation
So, it seems that Axis does not support XML validation by default. I will have to construct something myself then.
Joined: Aug 19, 2005
Originally posted by Jim Janssens: it totally a subjective matter.
Not only is it important, but validation may be required to guarantee the reliability of an XML application. An application may legitimately rely on the parser's validation so that it can avoid double-checking the validity of document contents. Validation is an important step of XML processing, but keep in mind that it may affect performance.
Consider the trusted and reliable system depicted in Figure 4.14. This system is composed of two loosely coupled applications. The front-end application receives XML documents as part of requests and forwards these documents to the reservation engine application, which is implemented as a document-centric workflow.
Although you must validate external incoming XML documents, you can exchange freely--that is, without validation--internal XML documents or already validated external XML documents. In short, you need to validate only at the system boundaries, and you may use validation internally only as an assertion mechanism during development. You may turn validation off when in production and looking for optimal performance.
Originally posted by Jim Janssens: - That the lack of good (and easy configurable) XML validation in Axis is a shame - That you should be able to turn it off and on easy - That (in te best case) you must be able to select a degree of validation.
There an easy solution to that - join the Axis team and add the functionality.