| Author |
Message
|
| Esa |
 Posted: Mon Nov 04, 2013 3:58 am Post subject: Policy Set XPath for encrypting text() |
 |
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
Hi,
I have been trying to write XPath for encrypting the contents of an element but leaving the tags intact.
This doesn't do it:
| Code: |
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']
/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Body']
/*[namespace-uri()='http://www.mycompany.com/EmployeeService' and local-name()='EmployeeInfoResponse']
/*[local-name()='employeeName']/*[local-name()='firstName']/text() |
Actually the element contains a CDATA field, but I read somewhere that XPath ignores CDATA, so I guess text() should capture it as well.
Message Broker 8.0.0.2 |
|
| Back to top |
|
 |
| Esa |
| Posted: Wed Nov 06, 2013 4:05 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
After a lot of testing my conclusion is that Message Broker V8 just doesn't support
EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content'.
One workaround I tested was this:
| Code: |
| .../*[local-name()='employeeName']/*[local-name()='firstName']/* |
That applies to elements only, so I had to wrap the contents within an extra element.
This becomes a little tasky because obviously all the elements in the XPath query need to have a namespace,
otherwise you get a NullPointerException (in the service trace).
My idea was to encrypt the contents of certain fields that may contain sensitive data so that an untrusted intermediate service
could map the message and call/respond an endpoint using some other WSDL.
I thought that's one part of what end-to-end security and message part protection is about.
Maybe I haven't understood it correctly?
I suppose I need to open a PMR unless somebody proves that my idea of end-to-end security is wrong. |
|
| Back to top |
|
|
| kimbert |
| Posted: Wed Nov 06, 2013 4:56 am Post subject: |
|
|
Jedi Council
Joined: 29 Jul 2003
Posts: 5542
Location: Southampton
|
| Quote: |
| the element contains a CDATA field, but I read somewhere that XPath ignores CDATA, so I guess text() should capture it as well. |
The best place to look for information on how XPath handles text is here : http://www.w3.org/TR/xpath/#section-Text-Nodes
I assume you are using the *[local-name()='blah'] syntax because you do not want to specify the namespace? FYI, any node that allows you to specify an XPath expression will also allow you to specify the namespace prefixes and their corresponding URLs. So your path could be as simple as /pref:employeeName/pref:firstName ( where 'pref' is a prefix that I just made up for the example. And note that child elements in a structure often do not have namespaces - it depends on how the XSD was constructed ).
_________________
Before you criticize someone, walk a mile in their shoes. That way you're a mile away, and you have their shoes too. |
|
| Back to top |
|
|
| Esa |
| Posted: Wed Nov 06, 2013 5:15 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
| kimbert wrote: |
| Quote: |
| the element contains a CDATA field, but I read somewhere that XPath ignores CDATA, so I guess text() should capture it as well. |
The best place to look for information on how XPath handles text is here : http://www.w3.org/TR/xpath/#section-Text-Nodes |
The problem is not in the way XPath handles text put in the way Policy Sets handle XPath. If you have /text() in the XPath, nothing gets encrypted.
| kimbert wrote: |
| I assume you are using the *[local-name()='blah'] syntax because you do not want to specify the namespace? FYI, any node that allows you to specify an XPath expression will also allow you to specify the namespace prefixes and their corresponding URLs. |
Yes, but AFAIK a Policy Set is not a node. Policy Sets require fully qualified XPath and prefixes are not allowed (because the expression needs to be a one-liner, I guess). In my tests any XPath expression that had an element that did not specify a namespace-uri() caused a NullPointerException. |
|
| Back to top |
|
|
| Y75 |
| Posted: Wed Dec 04, 2013 2:26 pm Post subject: |
|
|
Apprentice
Joined: 29 Jul 2013
Posts: 32
|
Does broker support an expression like //*[local-name()='abc']? I don't want to specify namespace as it can vary, but I am sure local-name would be there. I have it working in xpath editor I have but it doesn't seem to select anything in broker.
This is my tree
| Code: |
( ['SOAPRoot' : 0x3fc44160]
(0x01000000:Name ):Properties = ( ['SOAPPROPERTYPARSER' : 0x2a992ee0]
(0x03000000:NameValue):MessageSet = '' (CHARACTER)
(0x03000000:NameValue):MessageType = '' (CHARACTER)
(0x03000000:NameValue):MessageFormat = '' (CHARACTER)
(0x03000000:NameValue):Encoding = 546 (INTEGER)
(0x03000000:NameValue):CodedCharSetId = 1208 (INTEGER)
(0x03000000:NameValue):Transactional = FALSE (BOOLEAN)
-----------------------------------------------------
(0x01000000:Name ):HTTPResponseHeader = ( ['WSRSPHDR' : 0x3fc44470]
------------------------
(0x01000000:Folder):XMLNSC = ( ['xmlnsc' : 0x40ebf680]
(0x01000000:Folder)http://MessageView/:AcctInfoInqRs = ( ['xmlnsc' : 0x3fb53160]
(0x01000000:Folder):XStatus = (
(0x03000000:PCDataField):StatusCode = '0' (CHARACTER)
(0x03000000:PCDataField):ServerStatusCode = '24000' (CHARACTER)
(0x03000000:PCDataField):Severity = 'Info' (CHARACTER)
(0x03000000:PCDataField):StatusDesc = '?' (CHARACTER)
)
(0x01000000:Folder):AcctRec = (
(0x01000000:Folder):AcctInfo = (
(0x03000000:PCDataField):Desc = '123123' (CHARACTER)
(0x01000000:Folder ):AcctIdent = (
(0x03000000:PCDataField):AcctIdentType = '?' (CHARACTER)
(0x03000000:PCDataField):AcctIdentValue = '?' (CHARACTER)
)
)
)
)
)
)
|
This is my xpath expression.
| Code: |
Object queryResults = root.getLastChild().evaluateXPath("//*[local-name()='Status' or local-name()='XStatus']");
|
It returns an empty list so I assume it's getting compiled. |
|
| Back to top |
|
|
| Y75 |
| Posted: Wed Dec 04, 2013 3:13 pm Post subject: |
|
|
Apprentice
Joined: 29 Jul 2013
Posts: 32
|
| Don't bother. This does work. I had made stupid mistake. |
|
| Back to top |
|
|
| Esa |
| Posted: Wed Dec 04, 2013 10:26 pm Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
A remark for possible future readers:
While the short XPath syntax referenced by Y75 may work fine in message flow applications, Policy Sets require fully qualified XPath where namespace-uri is explicitly defined for each node (element). |
|
| Back to top |
|
|
| Esa |
| Posted: Thu Dec 19, 2013 2:01 am Post subject: |
|
|
Grand Master
Joined: 22 May 2008
Posts: 1387
Location: Finland
|
We raised a PMR on this some weeks ago and now we have been replied that this is a current limitation with the product. We were recommended to raise an RFE.
Which we have done. Link to the RFE |
|
| Back to top |
|
|
|
|
