aspose file tools*
The moose likes Web Services and the fly likes Axis 1.4 does not validate input parameters? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Axis 1.4 does not validate input parameters?" Watch "Axis 1.4 does not validate input parameters?" New topic
Author

Axis 1.4 does not validate input parameters?

aditee sharma
Ranch Hand

Joined: Jul 22, 2008
Posts: 182
Hi,
I am new to Axis and not so old with Web Services as well.
I created a XSD and a WSDL and subsequently generated the Java code using WSDL2JAVA utility provided by Axis.
The XSD portion is given below :

Now, I expect that since minOccurs="1" is specified in the XSD, AXIS should generate its own validation code for "myNumber", and give an error if in the input message doesn't have this parameter.
However, when this web service was deployed, and the said condition tested, no such validation message was given.
Is my expectation wrong or is there a switch in Axis to turn validation on?
Peer Reynders
Bartender

Joined: Aug 19, 2005
Posts: 2922
    
    5
Look at the exchanged messages with:

Apache TCPMon (Tutorial) or java.net tcpmon

I expect that there is a "myNumber" element that contains an empty string. That way the minOccurs/maxOccurs are satisfied - and you are not happy about the empty string. Including validation constraints (like enums) in the schema tends to restrict the "evolutionary potential" of your service contract - the longevity of your service contract tends to improve the less you restrict the data. Unfortunately that means that in this case your service has to check for an empty "myNumber" and issue a SOAP fault if the client misbehaves. Don't make the mistake of applying non-distributed "object sensibilities" to distributed services - they do not transfer like that. Best Practices for services have to balance a different set of challenges compared to non-distributed object design.

And in any case, most web service stacks do not validate the exchanged XML for performance reasons. Validation is something that is done separately when trust boundaries are crossed (in JAX-RPC you could add validation in a JAX-RPC handler).
[ December 12, 2008: Message edited by: Peer Reynders ]
aditee sharma
Ranch Hand

Joined: Jul 22, 2008
Posts: 182
I expect that there is a "myNumber" element that contains an empty string. That way the minOccurs/maxOccurs are satisfied - and you are not happy about the empty string.


You are right in saying that I confused the two conditions:
1) a parameter is absent
2) the parameter is present but empty.
Earlier, I had a client that was sending the "myNumber" parameter always (either empty or populated).
However, after reading your post, I changed the client and this time, the SOAP request did not have the parameter "myNumber".
However, I still do not get the Validation error message.


[ December 12, 2008: Message edited by: aditee sharma ]

[ December 12, 2008: Message edited by: aditee sharma ]
[ December 12, 2008: Message edited by: aditee sharma ]
aditee sharma
Ranch Hand

Joined: Jul 22, 2008
Posts: 182
Any one, please?
Peer Reynders
Bartender

Joined: Aug 19, 2005
Posts: 2922
    
    5
Originally posted by aditee sharma:
However, I still do not get the Validation error message.


As I stated before, for performance reasons the message is rarely validated.
I'm not aware that Axis has a validating mode.

You could write a JAX-RPC handler that validates the message payload and returns a SOAP fault if it fails.

However I suspect that is simpler to define an "invalid argument" SOAP Fault message in the WSDL and use that in the binding of the WSDL operation. WSDL2Java should translate that SOAP fault to an application specific "invalid argument" exception that can be thrown from your Java Method. All that is left is for your method to check whether the String is null or empty - and if it is throw that "invalid argument" exception which will then be transformed to a SOAP fault.


We are talking distributed web services here - not a strongly typed object oriented langauge enforcing detailed constraints on local method invocations.
aditee sharma
Ranch Hand

Joined: Jul 22, 2008
Posts: 182

As I stated before, for performance reasons the message is rarely validated.

But then, why would we need to specify maxOccurs and minOccurs attributes in the XSD ?
If Engines like AXIS do not perform even the very basic validations, and as per you there is a good reason for them not to, then there should be no provision for such attributes.

One more thing :
Sometime earlier, I worked a little with XML Beans and Weblogic specific tools ServiceGen and ClientGen for designing web services.
All one needed to do was define the XSD properly, and the validation would happen automatically by the code generated from XML Beans.
I never started from scratch so, do not know exactly how it worked.
Can you educate how it would have happened there and if that is a recommended way?
Peer Reynders
Bartender

Joined: Aug 19, 2005
Posts: 2922
    
    5
Originally posted by aditee sharma:

But then, why would we need to specify maxOccurs and minOccurs attributes in the XSD ?
If Engines like AXIS do not perform even the very basic validations, and as per you there is a good reason for them not to, then there should be no provision for such attributes


XML Schema wasn't developed for Axis or SOAP web services - so it could contain any number of features that do not contribute anything to either. However even in a non-validation scenario there is some useful information for the code generators:
  • minOccurs < 1 means that the element is optional - therefore the generated code has to allow for the absense of that element. That doesn't automatically mean that the code generator will enforce that the value has to be there if in fact minOccurs > 0. In "bean" terms: int getMyValue() "MyValue" cannot be optional as it always has to return a value - Integer getMyValue() "MyValue" could be optional as it could return "null" (no object); it can return one or no value.
  • maxOccurs > 1 means that the generated code has to allow for multiple values. Again in "bean" terms: int[] getMyValues() can return multiple "MyValue" (and none).


  • Can you educate how it would have happened there and if that is a recommended way?


    Well, according to the XMLBeans documentation, validation can be performed on demand but it doesn't validate while parsing - it may simply give you that impression:
    XMLBeans Does Not Validate an Instance While Parsing It

    Validating XML Documents

    To decide where and when to validate documents, you may take into account certain considerations. Assuming a system--by system we mean a set of applications that compose a solution and that define a boundary within which trusted components can exchange information--one can enforce validation according to the following observations.
  • Documents exchanged within the components of the system may not require validation.
  • Documents coming from outside the system, especially when they do not originate from external trusted sources, must be validated on entry.
  • Documents coming from outside the system, once validated, may be exchanged freely between internal components without further validation.


  • [ December 16, 2008: Message edited by: Peer Reynders ]
    Chatura Dilan
    Ranch Hand

    Joined: Feb 13, 2007
    Posts: 44
    Hi, Check this one

    http://www.chaturadilan.com/blog/?p=61


    -----------------------------------<br />If at first you don't succeed, try again without cry. Everytime You will learn what not to do next time, untill you succeed.<br /> <br />SCJP 1.4 (78%)<br />SCWCD 5 (95%)<br />BICT - UCSC
    aditee sharma
    Ranch Hand

    Joined: Jul 22, 2008
    Posts: 182
    Hi, Check this one

    Thanks,
    I read your website but couldn't find how it relates to the topic in question.
    It explains about deploying a webservice using AXIS, but how does that relate to validation ?
    Brice Willy
    Greenhorn

    Joined: Jan 20, 2009
    Posts: 2
    aditee sharma wrote:
    I expect that there is a "myNumber" element that contains an empty string. That way the minOccurs/maxOccurs are satisfied - and you are not happy about the empty string.


    You are right in saying that I confused the two conditions:
    1) a parameter is absent
    2) the parameter is present but empty.
    Earlier, I had a client that was sending the "myNumber" parameter always (either empty or populated).
    However, after reading your post, I changed the client and this time, the SOAP request did not have the parameter "myNumber".
    However, I still do not get the Validation error message.




    I got exactly the same problem, apparently AXIS doesn't check string parameter.
    I try with the type Calendar (a little bit more complex than a string ... lol) and it works.
    I'm asking myself if i'll emplement a java method that check mandatory string parameters...

    Do you have something new since the last time...
    Peer Reynders
    Bartender

    Joined: Aug 19, 2005
    Posts: 2922
        
        5
    Brice Willy wrote:I'm asking myself if i'll emplement a java method that check mandatory string parameters...


    In the WebMethod check for the mandatory string(s) - if it is missing (or empty) throw an org.apache.axis.AxisFault (or a subclass thereof) with the appropriate information. The Axis runtime will generate a SOAP Fault and return it to the client instead of the WebMethod response.
    Brice Willy
    Greenhorn

    Joined: Jan 20, 2009
    Posts: 2
    Peer Reynders wrote:
    Brice Willy wrote:I'm asking myself if i'll emplement a java method that check mandatory string parameters...


    In the WebMethod check for the mandatory string(s) - if it is missing (or empty) throw an org.apache.axis.AxisFault (or a subclass thereof) with the appropriate information. The Axis runtime will generate a SOAP Fault and return it to the client instead of the WebMethod response.


    Ok but that's not a clean process to get the check. Has axis a conf which permit to check that parameters?
    Peer Reynders
    Bartender

    Joined: Aug 19, 2005
    Posts: 2922
        
        5
    Brice Willy wrote:Ok but that's not a clean process to get the check.

    "Not clean", as in the developer actually has to do the some of the work?

    Has axis a conf which permit to check that parameters?


    See above:
    Peer Reynders wrote:And in any case, most web service stacks do not validate the exchanged XML for performance reasons.

    Peer Reynders wrote:I'm not aware that Axis has a validating mode.


    Furthermore the Java API for XML-based RPC JAX-RPC 1.1 (JSR-101) specification that Axis 1.x is based on, specifically states:
    JAX-RPC 1.1 (JSR-101) p. -37 wrote:The JAX-RPC specification does not require support for all different combinations of the occurrence constraints (minOccurs, maxOccurs).

     
    I agree. Here's the link: http://aspose.com/file-tools
     
    subject: Axis 1.4 does not validate input parameters?