Back to Security Pattern Catalog
: Perimeter Security, Tampering
Every incoming message has to go through a validation phase. These messages may contain malicious content or XML messages from unauthorized parties, which are a potential threat to the service provider. Traditional security mechanism like firewalls and packet filtering systems do not secure and verify the content and cannot handle threats at the application level.
How can the XML security implementation be designed such that it does not add complexity and does not make it tedious to process application-specific content?
Use modular or pluggable component that can be integrated with infrastructure service components that handle pre-processing and post-processing of incoming and outgoing SOAP and XML messages. Combine a chain of tasks intended for identifying message-level specific headers, dissecting the header elements, and verifying the message for the key security requirements specified by the service provider. Verify and Validate SOAP message and its headers for standards compliance such as WS-Security, SAML, WS-I Basic security profile etc. Identify the data origin and verify the integrity of the message payload and its elements using WS-Security and XMLDSIG. Verify the confidentiality of the message using WS-Security and XMLENC. The Message Inspector acts as a security decision point for enforcing all the security policies applicable to accessing a service endpoint.
A message inspector validating using WS-Security tags in the SOAP header.
Message Interceptor Gateway, Policy Enforcement Point
XML, Application Layer, Interceptor
Last modified: May 05, 2012
and Maintained by: Munawar Hafiz