Applies To:

Show Versions Show Versions

Manual Chapter: Protecting XML-Based Applications
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

13 
An XML profile defines the XML protection that a security policy enforces. You can associate the XML profile with a URL or with a parameter. An XML profile contains one or more of the following checks:
XML Schema Definition (XSD) file (otherwise referred to as a schema file) and Web Services Description Language (WSDL) document enforcement
The XML profile protects XML applications by using a combination of validation achieved by enforcing schema files and WSDL documents, well-formed XML, and general protection based on attack signatures and defense rules. Therefore, when you configure an XML profile, you need the following information about the XML application that you want to protect.
Does the application use validation files, for example, schemas or WSDL documents?
If yes, you need to know which files.
What applications are on the back end?
There can be more than one, for example, an Expat XML parser, and an Oracle® database server.
The validation configuration provides the system with information about the XML data or web services application that the XML profile is protecting.
XML is a self-describing language. As such, many XML applications have a schema file or WSDL document that describes the language that the application uses to communicate with its remote users and systems. You can use an XML profile to validate whether the incoming traffic complies to the predefined schemas or WSDL documents.
Important: When you upload a schema file or WSDL document, the system automatically creates an XML profile, even if you do not click the Create button.
1.
On the Main tab of the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
Above the XML Profiles area, click the Create button.
The Create XML Profile screen opens.
4.
In the Create Profile area, in the Profile Name box, type a name for the new XML profile.
5.
Optionally, in the Description box, type any relevant information about the new profile. Note that the text description box has a 255-character limit.
6.
For the File setting, either type the path to the file to upload, or click the Browse button, and navigate to the file.
If you selected a referenced file type, in the Import URL, type one of the following URLs:
The URL that is defined in the location directive for a WSDL document
The URL that is defined in the schemaLocation directive in a schema (XSD) file
7.
Click Upload.
The screen refreshes, and for the Configuration Files setting, you see the uploaded files listed.
8.
To specify that the systems should attempt to obtain and use files referenced in the WSDL or schema, check the Follow Schema Links box.
Note: Before enabling this setting, you must first add the DNS server to the DNS server list. When this setting is disabled and the uploaded file contains references to other schemas or WSDLs, the system displays an error message at the top of the screen listing the missing referenced files.
Important: When a schema file or WSDL document references another schema file or WSDL document, the system automatically displays the referenced files to give you the option of importing them. If circular dependencies exist in the referenced files, for example, schema 1 references schema 2, which contains a reference back to schema 1, you should import schema 1, then schema 2, then schema 1 again. This allows the system to create a mapping between the files.
9.
To permit SOAP messages to contain attachments, check the Allow Attachments in SOAP Messages box.
10.
To have the system verify the value of the SOAPAction header, check the Validate SOAPAction Header box. Note that the system automatically enables this setting when you upload a SOAP schema file.
11.
Click the Create button.
The system adds the new XML profile to the configuration, and the screen refreshes to display the new profile on the XML Profiles list screen.
12.
In the editing context area, click the Apply Policy button to activate the updated security policy.
A confirmation popup screen opens.
13.
Click OK.
The system applies the updated security policy.
When you upload a WSDL document, the system automatically populates a list of SOAP (Simple Object Access Protocol) methods in the validation configuration of the XML profile. Additionally, the system adds the SOAP methods as URLs in the security policy, and automatically associates the XML profile with the URLs.
The system configures into the policy all relevant URLs that it finds inside the WSDL. These are designated as valid SOAP methods. By default, all of the methods are enabled, which means that the methods are permitted by the security policy. If you disable a SOAP method, and a request contains that method, then the system issues the SOAP method not allowed violation, and blocks the request if the enforcement mode is blocking.
Note: This task assumes that you have uploaded a WSDL document in the validation configuration. See To configure schema and WSDL document validation, if you have not performed this task.
1.
On the Main tab of the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles area, in the Profile Name column, click the name of the profile for which you want to disable one or more SOAP methods.
The XML Profile Properties screen opens.
6.
Below the Defense Configuration area, click the Update button.
The screen refreshes, and displays the XML Profiles screen.
7.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
The defense configuration provides formatting and attack pattern checks for the XML data. The defense configuration complements the validation configuration to provide comprehensive security for XML data and web services applications.
In the defense configuration, the defense level determines the granularity of the security inspection for the XML application. There is a trade-off between ease of configuration and defense level. The higher the defense level, the more refinement of the security policy may be required. For example, if you accept the default defense level of High, the XML security is optimized; however, when you initially apply the security policy, you may see many false-positives generated for XML violations.
When you configure the defense configuration settings for an XML profile, the system adjusts the attack signatures based on the characteristics of those that you select.
1.
On the Main tab of the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
2.
In the XML Profiles list, in the Profile Name column, click the name of the XML profile for which you want to modify the advanced defense configuration settings.
The XML Profile Properties screen opens.
3.
Above the Defense Configuration area, select Advanced.
The screen refreshes to display additional defense configuration settings.
4.
In the Defense Configuration area, for the Overridden Security Policy Settings option, select attack signatures from the Global Security Policy Settings list, and then click the Move (<<) button. To select more than one attack signature at the same time, hold down the Ctrl key on the keyboard when you select the attack signatures.
5.
In the Overridden Security Policy Settings list, enable or disable each attack signature as you want.
6.
For the Defense Level setting, select the appropriate level for the application. The default setting is High.
Note: Table 13.1, describes the defense configuration settings. The default values are determined by the Defense Level setting. Note that the value 0 (zero) in the table indicates unlimited; that is, up to the boundaries of an integer type.
8.
Click Create.
The system commits any changes you may have made.
9.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
1.
On the Main tab of the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
2.
In the XML Profiles list, in the Profile Name column, click the name of the XML profile for which you want to modify the advanced defense configuration settings.
The XML Profile Properties screen opens.
3.
Above the Defense Configuration area, select Advanced.
The screen refreshes to display additional defense configuration settings.
4.
In the Defense Configuration area, for the Overridden Security Policy Settings option, select attack signatures from the Global Security Policy Settings list, and then click the Move (<<) button. To select more than one attack signature at the same time, hold down the Ctrl key on the keyboard when you select the attack signatures.
5.
In the Overridden Security Policy Settings list, enable or disable each attack signature as you want.
6.
For the Defense Level setting, select the appropriate level for the application. The default setting is High.
Note: Table 13.1, describes the defense configuration settings. The default values are determined by the Defense Level setting. Note that the value 0 (zero) in the table indicates unlimited; that is, up to the boundaries of an integer type.
8.
Click Update.
The system commits any changes you may have made.
9.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
Default Value: High
Default Value: Low
Specifies the level of protection that the system applies to XML documents, applications, and services.
Specifies, in bytes, the largest acceptable document size.
Specifies the maximum number of elements that can be in a single document.
Specifies, in bytes, the maximum acceptable length for entity and attribute names.
Specifies, in bytes, the maximum acceptable length for attribute values.
Specifies the maximum acceptable number of child elements for each parent element.
Specifies the maximum number of attributes for each element.
Specifies the maximum number of namespace declarations for a single document.
Specifies, when enabled, that the XML document can contain or refer to DOCTYPE declarations (DTDs).
Specifies, when enabled, that references to external DOCTYPE declarations are acceptable.
Specifies the maximum amount of memory a single, expanded entity definition may consume.
Specifies the maximum number of times that a DTD entity can call itself.
Specifies, when enabled, that references to external DOCTYPE declarations are acceptable.
Specifies, when enabled, that leading white space at the beginning of an XML document is acceptable.
Specifies, when enabled, that the close tag format </>, which is used in the XML encoding for Microsoft® Office Outlook® Web Access, is acceptable.
Specifies, when enabled, that the entity and namespace names can start with an integer (0-9). Note that this is a compatibility option for use with Microsoft® Office Outlook® Web Access.
Specifies the largest allowed size for a namespace in the XML part of a request.
Allow Processing Instructions
Specifies, when enabled, that the system allows processing instructions in the XML request. If you upload a WSDL file that references valid SOAP methods, this setting is inactive.
Specifies, when enabled, that the system permits the existence of character data (CDATA) sections in the XML document part of a request.
You can associate XML profiles with explicit URLs and wildcard URLs. The parameter or URL that the XML payload refers to is mostly in the WSDL or the schema. When the system receives a request that contains the URL, the system applies the associated XML profile, and generates, if applicable, an XML violation. You can configure the system to verify all requests, or only those requests whose Content-Type header contains a configurable string, for example, text/xml.
The Security Enforcer applies the XML profile to the entire POST data component in a request. If the Content-Type header check fails, the Security Enforcer applies the default HTTP validations for POST data. If you configure the XML profile to validate requests based on the Content-Type header values, we recommend that you ensure that the security policy also validates POST data.
Tip: You can associate one XML profile with several URLs. You do not need to create a separate XML profile for each URL that you want the system to protect. If you associate an XML profile with a wildcard URL, you can use one XML profile to protect an entire web services application. For general information on wildcard URLs, see Chapter 10, Working with Wildcard Entities.
3.
In the URLs List area, click the name of the URL to which you want to assign an XML profile.
The URL Properties screen opens.
4.
Above the URL Properties area, select Advanced.
The screen refreshes, and displays additional settings.
5.
Click the Check XML box.
The screen refreshes, and displays additional settings.
6.
For the XML Profile setting, do one of the following:
Note: When you navigate to the Create New XML Profile screen using the Create button (+), the system redirects you back to the URL Properties screen when you finish creating the new XML profile.
7.
For the Check Content Type setting, specify how the system applies the XML profile to requests for this URL.
Select All if you want the system to inspect all requests.
Select User defined, and type a string, if you want the system to inspect only those requests whose Content-Type header value contains the string you specified. Note that this option has a default setting of *xml*.
8.
Click Update to save any changes you may have made.
9.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
10.
Click OK.
The system applies the updated security policy.
You can associate an XML profile with a parameter whose value is XML-encoded. When the system receives a request that contains the parameter, the system applies the XML profile to the parameter value, and if applicable, generates one or more XML violations.
1.
3.
In the Parameters List area, click the name of the parameter to which you want to assign an XML profile.
The Parameter Properties screen opens.
4.
In the Edit Parameters area, for the Parameter Value Type, select XML value.
The screen refreshes, and displays XML profile settings.
5.
In the XML Profile area, for the XML Profile setting, do one of the following:
Note: When you navigate to the Create New XML Profile screen using the Create button (+), the system redirects you back to the URL Properties screen when you finish creating the new XML profile.
6.
Click Update to save any changes you may have made.
7.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
8.
Click OK.
The system applies the updated security policy.
Web applications change over time, and you may occasionally need to fine-tune or revise the associated XML profile. You can easily make any necessary changes to the profile, and then apply the updated security policy so that the changes take effect immediately.
Note: Every change to an XML profile requires external network access to verify the schema link. The time needed to complete an XML profile update varies, depending on the size of the WSDL document or schema file, and your connection speed.
1.
On the Main tab of the Application Security navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles list, in the Profile Name column, click the name of the XML profile that you want to update.
The XML Profile Properties screen opens.
4.
Make any necessary changes to the profile properties, and then click Update.
The system saves any changes you may have made.
5.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
A confirmation popup screen opens.
6.
Click OK.
The system applies the updated security policy.
If you no longer need a specific XML profile, you can remove it entirely from the configuration. Note that before you delete an XML profile, we recommend that you remove the profile from any URLs or parameters with which the profile is associated.
1.
On the navigation pane, click XML Profiles.
The XML Profiles screen opens.
3.
In the XML Profiles area, in the Select column (far left), check the box next to the profile that you want to remove, and then click the Delete button.
The system displays a popup confirmation screen.
4.
Click OK.
The system permanently removes the XML profile from the configuration.
5.
To put the changes into effect immediately, click the Apply Policy button in the editing context area.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)