This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to block SOAP operations in Tibco?

Posted on 10-27-2015 04:41 PM
Not applicable
Reply posted on --/--/---- --:-- AM

What is the best way to block certain operations in a proxy if they are all on the same resource path?

--SF928566--

1 1 167
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

It sounds to me like you are using Apigee Edge as a proxy for a SOAP service.

In SOAP, there are two ways that inbound requests indicate which server-side operations are intended. One is with the SOAPAction Header, the other is with the actual request Payload element.

In either case, it should be straightforward for you to design a smart proxy inside Apigee Edge that inspects the appropriate part of the inbound message, and tests that value against what is allowed and what is not.

In case 1, the soapaction header, you merely need to test the header value against the set of allowed values. Suppose there are just two allowed values. Then you could include a step in the PreFlow of your API Proxy that does something like this: 

<Step>
  <Name>RaiseFault-OperationNotPermitted</Name>
  <Condition>request.header.soapaction != "allowed-value-1" AND request.header.soapaction != "allowed-value-2"</Condition>
</Step>

This assumes that the RaiseFault policy exists and returns an appropriate message to the caller. Probably a valid SOAP Fault, if it is a SOAP client.

If you have more than a few valid values, you may want to put that condition logic in a JavaScript step. I can explain more about this if my meaning is not clear.

In case 2, you first need to extract the toplevel element from the inbound XML payload, and inspect that against the allowed set of values. For the extraction, use ExtractVariables on the inbound request payload, something like this: 

<ExtractVariables name='ExtractTopLevelRequestElement'>
  <Source>request</Source>
  <XMLPayload>
    <Namespaces>
      <Namespace prefix='soap'>http://schemas.xmlsoap.org/soap/envelope/</Namespace>
    </Namespaces>
    <Variable name='topLevelRequestElement' type='string'>
      <XPath>local-name(/soap:Envelope/soap:Body/*[1])</XPath>
    </Variable>
  </XMLPayload>
</ExtractVariables>

That bit of Xpath specifies "the unqualified element name for first child of the soap:Body element", and the entire policy says "put that element name into the context variable called topLevelRequestElement"

Therefore, AFTER this extract policy runs, you need a condition similar to the above, which would test that extracted value against allowed or disallowed values. Example: 

<Step>
  <Name>ExtractTopLevelRequestElement</Name>
</Step>
<Step>
  <Name>RaiseFault-OperationNotPermitted</Name>
  <Condition>topLevelRequestElement != "allowed-value-1"</Condition>
</Step>

Does this make sense?

0 Likes