Hello,
I have a problem with web services in java.
I have create this web service:
1. Interface of my web service
@WebService (name="MyWebService")
@SOAPBinding (style=Style.RPC)
public interface MyWebService {
@WebMethod
public String doLogin(@WebParam (name="lastname") String lastname,
@WebParam (name="firstname") String firstname,
@WebParam (name="password") String password);
// ... other methods ...
}
2. Enpoint of my web service
@Stateless
@WebService(
endpointInterface = "webservice.MyWebService",
portName = "MyWebServicePort",
serviceName = "MyWebService")
public class MyWebServiceEndpoint implements MyWebService {
public String doLogin(String lastname, String firstname, String password) {
createLogin(lastname, firstname, password);
}
// ... implementation of other methods ...
}
I deploy this web service on Sun Java Application Server with an EAR file and it works fine. I tested my web service with SoapUI and all methods work correctly, but my PROBLEM is that I can do XML injection (or TAG injection). If I take the soap request below as example:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="web:">
<soapenv:Header>
</soapenv:Header>
<soapenv:Body>
<web1:doLogin xmlns:web1="http://webservice.example.com/">
<firstname>John</firstname>
<lastname>Brown</lastname>
<password>john_pass33</password>
<lastname>Kennedy</lastname>
</web1:doLogin>
</soapenv:Body>
</soapenv:Envelope>
In this example I have injected *2 tags <lastname>* in my Soap Request with SoapUI(for example) and the server always accepts it and uses the
last tag <lastname> entered, in my example the lastname "Kennedy" will be used and not the lastname "Brown". I have tried to create XML schema but it works always the same.
How can I only accept one tag with the same name, or ignore the second tag, etc.. ??
Thank you
Edited by: rohrix on Apr 27, 2009 11:27 PM