The built-in PHP extension for SOAP doesn't validate everything in the incoming SOAP request against the XML Schema in the WSDL. It does check for the existence of basic entities, but when you have something complicated like simpleType restrictions the extension pretty much ignores their existence.
What is the best way to validate the SOAP request against XML Schema contained in the WSDL?
Besides the native PHP5 SOAP libs, I can also tell you that neither the PEAR nor Zend SOAP libs will do schema validation of messages at present. (I don't know of any PHP SOAP implementation that does, unfortunately.)
What I would do is load the XML message into a DOMDocument object and use DOMDocument's methods to validate against the schema.
Been digging around on this matter a view hours.
Neither the native PHP SoapServer nore the NuSOAP Library does any Validation.
PHP SoapServer simply makes a type cast.
For Example if you define
<xsd:element name="SomeParameter" type="xsd:boolean" />
and submit
<get:SomeParameter>dfgdfg</get:SomeParameter>
you'll get the php Type boolean (true)
NuSOAP simply casts everthing to string although it recognizes simple types:
from the nuSOAP debug log:
nusoap_xmlschema: processing typed element SomeParameter of type http://www.w3.org/2001/XMLSchema:boolean
So the best way is joelhardi solution to validate yourself or use some xml Parser like XERCES
Typically one doesn't validate against the WSDL. If the WSDL is designed properly there should be an underlying xml schema (XSD) to validate the body of the request against. Your XML parser should be able to do this.
The rest is up to how you implement the web service and which SOAP engine you are using. I am not directly familiar with the PHP engine. For WSDL/interface level "validation" I usually do something like this:
Does the body of the request match a known request type and is it valid (by XSD)?
Does the message make sense in this context and can i map it to an operation/handler?
If so, start processing it
Otherwise: error
Using native SoapServer PHP is a little bit tricky but is possible too:
function validate(string $xmlEnvelope, string $wsdl) : ?array{
libxml_use_internal_errors(true);
//extracting schema from WSDL
$xml = new DOMDocument();
$wsdl_string = file_get_contents($wsdl);
//extracting namespaces from WSDL
$outer = new SimpleXMLElement($wsdl_string);
$wsdl_namespaces = $outer->getDocNamespaces();
//extracting the schema tag inside WSDL
$xml->loadXML($wsdl_string);
$xpath = new DOMXPath($xml);
$xpath->registerNamespace('xsd', 'http://www.w3.org/2001/XMLSchema');
$schemaNode = $xpath->evaluate('//xsd:schema');
$schemaXML = "";
foreach ($schemaNode as $node) {
//add namespaces from WSDL to schema
foreach($wsdl_namespaces as $prefix => $ns){
$node->setAttribute("xmlns:$prefix", $ns);
}
$schemaXML .= simplexml_import_dom($node)
->asXML();
}
//capturing de XML envelope
$xml = new DOMDocument();
$xml->loadXML($xmlEnvelope);
//extracting namespaces from soap Envelope
$outer = new SimpleXMLElement($xmlEnvelope);
$envelope_namespaces = $outer->getDocNamespaces();
$xpath = new DOMXPath($xml);
$xpath->registerNamespace('soapEnv', 'http://schemas.xmlsoap.org/soap/envelope/');
$envelopeBody = $xpath->evaluate('//soapEnv:Body/*[1]');
$envelopeBodyXML = "";
foreach ($envelopeBody as $node) {
//add namespaces from envelope to the body content
foreach($envelope_namespaces as $prefix => $ns){
$node->setAttribute("xmlns:$prefix", $ns);
}
$envelopeBodyXML .= simplexml_import_dom($node)
->asXML();
}
$doc = new DOMDocument();
$doc->loadXML($envelopeBodyXML); // load xml
$is_valid_xml = $doc->schemaValidateSource($schemaXML); // path to xsd file
return libxml_get_errors();
}
and inside your SoapServer function implementation:
function myFunction($param) {
$xmlEnvelope = file_get_contents("php://input");
$errors = validate($xmlEnvelope, $wsdl);
}
I was not able to find any simple way to perform the validation and in the end had validation code in the business logic.
Some time ago I've create a proof of concept web service with PHP using NuSOAP. I don't know if it validates the input, but I would assume it does.
Related
I use external libraries to communicate with external systems. Communication is via Soap.
I provide the library with a set of data in a simple way. She checks the data, sends the request, and receives the reply. Converts the response to its object and returns.
How can I access the SoapClient object without making changes to the external library?
For this object, I need the original data. Request, response, headers.
Is it possible to do?
EDIT:
A simple example of using one of the many external libraries:
class fedex {
public function trackShipment($number)
{
$trackRequest = new TrackServiceTrackRequest();
$trackRequest->WebAuthenticationDetail->UserCredential->Key = $this->getAccessNumber();
$trackRequest->WebAuthenticationDetail->UserCredential->Password = $this->getAccountPassword();
$trackRequest->ClientDetail->AccountNumber = $this->getAccountNumber();
$trackRequest->ClientDetail->MeterNumber = $this->getMeterNumber();
$trackRequest->SelectionDetails[0]->PackageIdentifier->Value = $number;
$request = new TrackServiceRequest();
return $request->getTrackReply($trackRequest);
}
}
$fedex = new fedex();
$result = $fedex->trackShipment('123456789');
How to get original xml with request and header that was sent by library without modifying it?
The TrackServiceRequest() object does not access the SoapClient() object.
I need to query a WCF service in PHP, so that it can return an XML object back to me.
Previously I was able to do this using the http request and post method
$url = 'http://localhost:49000/';
//create the httprequest object
$httpRequest_OBJ = new httpRequest($url, HTTP_METH_POST, $options);
Using Soap. I can make a connection doing this:
// Create a new soap client based on the service's metadata (WSDL)
$client = new SoapClient("http://localhost:8731/FileUploadService?wsdl");
But how can I pass the XML object into the soap client and return a XML object.
If you really want to send a string containing the XML, you could use
$client->YourSoapMethodCall( new SoapVar($xmlString, XSD_ANYXML) ).
But it would be more convenient to feed parameters with an array or objects (which I use).
cf. http://andrecatita.com/code-snippets/php-soap-repeated-element-name/
I have a PHP soap server (Using nuSoap), and a Java client (using Axis2). Which works pretty good, until it doesn't.
The gist of what I'm trying to do is send a code to the service, and return a XML list of file names.
<filename>20120413.zip</filename>
Here's the SSCE
<?
require_once('nusoap/lib/nusoap.php');
$server = new soap_server();
$server->configureWSDL('Download Database Backup', 'urn:downloadDatabase');
$server->register('getBackupFileNames', // method
array('herdCode' => 'xsd:string'), // input parameters
array('fileList' => 'xsd:string'), // output parameters
'urn:uploadDatabase', // namespace
'urn:uploadDatabase#uploadDatabase', // soapaction
'rpc', // style
'encoded', // use
'uploadDatabase' // documentation
);
function getBackupFileNames($herdCode)
{
$location = "/home/rhythms/backups/" . $herdCode;
$fileList = scandir($location);
return $fileList;
}//end function
$HTTP_RAW_POST_DATA = isset($HTTP_RAW_POST_DATA) ? $HTTP_RAW_POST_DATA : '';
$server->service($HTTP_RAW_POST_DATA);
?>
In a pinch, I know I could do a foreach and manually create the XML as a string. However it gets XMLEncoded then. Is there a better way? I would like to publish it by default in the WSDL. I've also tried the complexType but I had trouble handling that on the Axis2 side.
Thank you!
This isn't a direct answer. What I've come to is you can send a SOAP array using the SOAP-ARRAY complex data type. But it's not a very good method. Instead I'm going to investigate the native SOAP implementation that PHP provides.
Axis2 doesn't handle the SOAP-ARRAY complex datatype well, so I think it will be easier to adjust my implementation to PHP's native types.
This is left as a footnote so hopefully someone else won't fall down the same well I did as I was trying to find a good SOAP implementation.
I am struggling to get PHP's inbuilt SoapClient to interpret the response coming back from the web service I'm trying to call.
SoapUI is able to interrogate this soap method and return good results.
I am also able to get nusoap_client to return correct results (but am not able to use nusoap for other reasons and think I'm stuck with SoapClient).
Using SoapClient, I can see that seemingly good data is being returned, but instead of the results being parsed and broken into easily consumed arrays of values, the XML response string is being stuffed into a single field in an object (labelled 'any').
My code and results are shown below :
$client = new SoapClient($url);
$results = $client->GetPropertiesByProjectAndContractStatus($params);
var_dump($results);
The output from the above code is below :
object(stdClass)[3]
public 'GetListingsByGUIDResult' =>
object(stdClass)[4]
public 'any' => string '<xs:schema xmlns="" ........ (long xml here) ....
Now, perhaps it's possible that the service I am using is returning some xml which has something wrong with it (although it seems fine to my eye). nusoap and SoapUI both have no problems using it either.
So I'm wondering what is it with SoapClient that is different.
I have a function that grabs that result and turns it into a dom object so you can use the dom functions to extract data.
protected function getElementsFromResult($elementName, $simpleresult) {
$dom = new DOMDocument ();
$dom->preserveWhiteSpace = FALSE;
if ($simpleresult == null) {
echo 'null';
return null;
} else {
$dom->loadXML ( $simpleresult->any );
return $dom->getElementsByTagName ( $elementName );
}
$elementName is the name of the elements you want from the result and $simpleresult is the object containing the 'any' string.
This happens when the data returned is not specified in the WSDL that you are using. Anything not in the WSDL will get lumped into this "any" element at the end of parsing the XML.
If this is happening then you should ensure that your script is using the correct WSDL for the SOAP service you're using.
For example, if you're using an old WSDL and new elements are now in use in the service, they will end up inside this "any" element!
Did you try using the SOAP_SINGLE_ELEMENT_ARRAYS feature?
<?php
$client = new SoapClient($url, array('features' => SOAP_SINGLE_ELEMENT_ARRAYS));
I'm currently dealing with an archaic payment processor that makes connecting to their service as hard as possible (including a custom client SSL cert, with a password, plus basic HTTP Auth after that). Long story short, I can't use SoapClient to make the request, but I have been able to do it with cURL.
I now have the response in a string, can I use SoapClient to parse it? I'd rather not have to parse it manually as a regular XML, since I'd have to duplicate a lot of functionality, like throwing a sensible exception when finding a <SOAP:Fault>, for example.
No, you can't.
(just answering this for posterity. Based on the lack of evidence to the contrary, you apparently can't use SoapClient to parse a SOAP response you already have)
You can define context using context option of SoapClient to tell SoapClient to use SSL certificates etc. Context may be created using stream_context_create with lots of options
Let's for a second imagine you had called SoapClient::__doRequest() and it returned your XML SOAP response into a variable called $response.
<?php
//LOAD RESPONSE INTO SIMPLEXML
$xml = simplexml_load_string($response);
//REGISTER NAMESPACES
$xml->registerXPathNamespace('soap-env', 'http://schemas.xmlsoap.org/soap/envelope/');
$xml->registerXPathNamespace('somenamespace', 'http://www.somenamespace/schema/');
//...REGISTER OTHER NAMESPACES HERE...
//LOOP THROUGH AND GRAB DATA FROM A NAMESPACE
foreach($xml->xpath('//somenamespace:MessageHeader') as $header)
{
echo($header->xpath('//somenamespace:MyData'));
}
//...ETC...
?>
That is just some example/pseudo code (not tested and won't work as-is). My point is that you manually acquired the SOAP response so now all you have to do is parse it. SimpleXML is one solution you could use to do that.