nordic-institute/X-Road

WSDL which is not aligned with X-Road Message Protocol for SOAP is imported into security server without errors

arattur opened this issue · 2 comments

arattur commented

Software version: Docker image xroad-security-server-standalone:latest (X-Road Security Server version 7.2.1-1.ubuntu20.04)

More detailed description of the problem that includes:
Following WSDL ejs_wsdl.txt is not alligned with X-Road Message Protocol for SOAP. For example mandatory header elements (client, service etc) are missing and Remote Procedure Call style binding (soap:binding style="rpc") is used instead of a mandatory Document/Literal-Wrapped. Importing this WSDL should result in validation error, but it is imported as valid.

Steps to reproduce the issue:

  1. Log into Security Server as Administrator
  2. Choose TestService client
  3. Under Services tab import following WSDL: ejs_wsdl.txt
  4. WSDL is imported as valid without any errors

Expected result: WSDL which does not confirm with X-Road Message Protocol for SOAP should not pass validation and according error should be returned to Security Server Administrator

Actual result: WSDL is imported into Security Server without any errors

petkivim commented

Hi @arattur! Thank you for submitting the issue.

X-Road uses the Apache CFX WSDL Validator component to validate WSDLs when 1) services are added to the Security Server or 2) existing services are refreshed. The WSDL validator completes the following checks:

The wsdlvalidator validates whether a WSDL document is well-formed and schema conformed as noted by the following checks.

  • Check the WSDL document for XML well-formedness.
  • Validate the WSDL document against its XML schema.
  • Validate the WSDL document using some of the semantic rules defined in the WSDL specification.
  • Validate the WSDL document against custom validation rules, such as those defined by the Web Services Interoperability (WS-I) organization (i.e. WS-I Basic Profile rules).
  • Validate the WSDL against strange exceptions, incorrectly generated code and general bad WSDL issues.

Instead, the WSDL validator doesn't do any X-Road-specific validations. The WSDL validator component was updated in X-Road version 6.20.0 and the validator that was used in X-Road versions before 6.20.0 did some X-Road-specific validations. However, those validations were dropped in version 6.20.0. More information about the change is available here.

All in all, the behavior that you're describing is a feature, not a bug.

arattur commented

@petkivim thank you for thorough clarification!