Event-Based SOAP Message Validation for WS-SecurityPolicy-Enriched Web Services

To enable checking of SOAP messages for compliance to a given security policy, extensions to the classical “Schema-only” validation of SOAP messages are required. These extensions check, if the WS-Security elements found in a SOAP message fulfill the Web Service security specification that is laid down in the WS-SecurityPolicy document. In this paper, we discuss to what extent the proposed extended validation of SOAP messages can be accomplished by an event-based validation system. We prefer this type of processing for use in network appliances like e.g. Web Servicelevel firewalls, because it is suited to resist DoS attacks that aim at memory exhaustion. We identify some of the constraints on the use of both WS-Security and WS-SecurityPolicy that must be introduced to allow for event-based parsing, and finally present an initial prototype for extended validation together with some performance figures.