Login/Register
XML Schema validation for POST requests with ASP.NET WebAPI
Asked Answered
Solved asp.net-mvcxsdasp.net-mvc-4asp.net-web-apixml-validation
L

2

6

I am trying to find a solution to validate if XML data sent in a POST request are fulfilling a given custom XML schema.

If I use the XmlMediaTypeFormatter delivered with ASP.NET Web API I don't have a schema validation available, as far as I can see. For example: If I have a model type...

public class Order
{
    public string Code { get; set; }
    public int Quantity { get; set; }
}

...and a POST action in an ApiController...

public HttpResponseMessage Post(Order order)
{
    if (ModelState.IsValid)
    {
        // process order...
        // send 200 OK response for example
    }
    else
        // send 400 BadRequest response with ModelState errors in response body
}

...I can post the following "wrong" XML data and will get a 200 OK response nevertheless:

User-Agent: Fiddler
Host: localhost:45678
Content-Type: application/xml; charset=utf-8

<Order> <Code>12345</Nonsense> </Order>   // malformed XML

Or:

<Order> <CustomerName>12345</CustomerName> </Order>    // invalid property

Or:

<Customer> <Code>12345</Code> </Customer>    // invalid root

Or:

"Hello World"    // no XML at all

etc., etc.

The only point where I have a validation of the request is model binding: In request example 1, 3 and 4 the order passed into the Post method is null, in example 2 the order.Code property is null which I could invalidate by testing for order == null or by marking the Code property with a [Required] attribute. I could send this validation result back in the response with a 400 "BadRequest" Http status code and validation messages in the response body. But I cannot tell exactly what was wrong and can't distinguish between the wrong XML in example 1, 3 and 4 (no order has been posted, that's the only thing I can see) - for instance.

Requiring that an Order has to be posted with a specific custom XML schema, for example xmlns="http://test.org/OrderSchema.xsd", I would like to validate if the posted XML is valid with respect to this schema and, if not, send schema validation errors back in the response. To achieve this I have started with a custom MediaTypeFormatter:

public class MyXmlMediaTypeFormatter : MediaTypeFormatter
{
    // constructor, CanReadType, CanWriteType, ...

    public override Task<object> ReadFromStreamAsync(Type type, Stream stream,
        HttpContentHeaders contentHeaders, IFormatterLogger formatterLogger)
    {
        var task = Task.Factory.StartNew(() =>
        {
            using (var streamReader = new StreamReader(stream))
            {
                XDocument document = XDocument.Load(streamReader);
                // TODO: exceptions must the catched here,
                // for example due to malformed XML
                XmlSchemaSet schemaSet = new XmlSchemaSet();
                schemaSet.Add(null, "OrderSchema.xsd");

                var msgs = new List<string>();
                document.Validate(schemaSet, (s, e) => msgs.Add(e.Message));
                // msgs contains now the list of XML schema validation errors
                // I want to send back in the response
                if (msgs.Count == 0)
                {
                    var order = ... // deserialize XML to order
                    return (object)order;
                }
                else
                    // WHAT NOW ?
            }
        });
        return task;
    }
}

This works so far as long as everything is correct.

But I don't know what to do if msgs.Count > 0. How can I "transfer" this validation result list to the Post action or how can I create a Http response that contains those XML schema validation messages?

Also I am unsure if a custom MediaTypeFormatter is the best extensibility point for such a XML schema validation and if my approach isn't the wrong way. Would possibly a custom HttpMessageHandler/DelegatingHandler be a better place for this? Or is there perhaps something much simpler out of the box?

Laresa answered 5/8, 2012 at 22:27 Comment(0)
L
0

By trial and error I found a solution (for the WHAT NOW ? placeholder in the question's code):

//...
else
{
    PostOrderErrors errors = new PostOrderErrors
    {
        XmlValidationErrors = msgs
    };
    HttpResponseMessage response = new HttpResponseMessage(
        HttpStatusCode.BadRequest);
    response.Content = new ObjectContent(typeof(PostOrderErrors), errors,
        GlobalConfiguration.Configuration.Formatters.XmlFormatter);
    throw new HttpResponseException(response);
}

...with the response class like this:

public class PostOrderErrors
{
    public List<string> XmlValidationErrors { get; set; }
    //...
}

That seems to work and the response looks like this then:

HTTP/1.1 400 Bad Request
Content-Type: application/xml; charset=utf-8

<PostOrderErrors xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <XmlValidationErrors>
        <string>Some error text...</string>
        <string>Another error text...</string>
    </XmlValidationErrors>
</PostOrderErrors>
Laresa answered 6/8, 2012 at 10:43 Comment(0)
C
6

If I were doing this I wouldn't use the Formatter. The primary goal of a formatter is to convert a wire representation to a CLR type. Here you have an XML document that you want to validate against a schema which is a different task altogether.

I would suggest creating a new MessageHandler to do the validation. Derive from DelegatingHandler and if the content type is application/xml load the content into XDocument and validate. If it fails, then throw a HttpResponseException.

Just add your MessageHandler to the Configuration.MessageHandlers collection and you are set.

The problem with using a derived XmlMediaTypeFormatter is that you are now executing at some point embedded inside the ObjectContent code and it is likely to be tricky to cleanly exit out. Also, making XmlMediaTypeFormatter any more complex is probably not a great idea.

I had a stab at creating the MessageHandler. I did not actually try running this code, so buyer beware. Also, the task stuff gets pretty hairy if you avoid blocking the caller. Maybe someone will clean that code up for me, anyway here it is.

  public class SchemaValidationMessageHandler : DelegatingHandler {

        private XmlSchemaSet _schemaSet;
        public SchemaValidationMessageHandler() {

            _schemaSet = new XmlSchemaSet();
            _schemaSet.Add(null, "OrderSchema.xsd");
        }

        protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) {

            if (request.Content != null && request.Content.Headers.ContentType.MediaType == "application/xml")
            {
                var tcs = new TaskCompletionSource<HttpResponseMessage>();

                var task =  request.Content.LoadIntoBufferAsync()  // I think this is needed so XmlMediaTypeFormatter will still have access to the content
                    .ContinueWith(t => {
                                      request.Content.ReadAsStreamAsync()
                                          .ContinueWith(t2 => {
                                                            var doc = XDocument.Load(t2.Result);
                                                            var msgs = new List<string>();
                                                            doc.Validate(_schemaSet, (s, e) => msgs.Add(e.Message));
                                                            if (msgs.Count > 0) {
                                                                var responseContent = new StringContent(String.Join(Environment.NewLine, msgs.ToArray()));
                                                                 tcs.TrySetException(new HttpResponseException(
                                                                    new HttpResponseMessage(HttpStatusCode.BadRequest) {
                                                                        Content = responseContent
                                                                    }));
                                                            } else {
                                                                tcs.TrySetResult(base.SendAsync(request, cancellationToken).Result);
                                                            }
                                                        });

                                  });
                return tcs.Task;
            } else {
                return base.SendAsync(request, cancellationToken);
            }

        }
Cartagena answered 6/8, 2012 at 1:53 Comment(4)
Thanks for the response, I will try that out. I found a similar solution yesterday by throwing a HttpResponseException (see my own answer here). But I agree a bit that a MediaTypeFormatter doesn't seem to be the right place. BTW: Do you know what happens if you have multiple MessageHandlers? I have another one that does basic authentication and would not want that the validation handler kicks in at all if the authentication fails. Do I just have to ensure that the auth handler is before the validation handler in the MessageHandlers collection?Laresa
I don't get the code working at the moment. It ends with a Http 500, stacktrace EndProcessRequest -> OnAsyncHandlerCompletion in the msgs.Count > 0 case, the else case works. I'm not yet familiar enough with the Task API and WebAPI to find a fix. I tried some random changes, but without success. The authentication message handler must be the last one to be executed first. But I still enter the validation handler even if authentication fails in the auth handler. Perhaps I have to check the security principal and skip the handler then, somehow...Laresa
@Laresa By adding multiple message handlers you get a chain of them. Just add the validation handler after the auth handler.Cartagena
@Laresa If I get a chance I'll try investigating what I messed up. Simplest thing might be to change those async requests to be sync by accessing the .Result property.Cartagena
L
0

By trial and error I found a solution (for the WHAT NOW ? placeholder in the question's code):

//...
else
{
    PostOrderErrors errors = new PostOrderErrors
    {
        XmlValidationErrors = msgs
    };
    HttpResponseMessage response = new HttpResponseMessage(
        HttpStatusCode.BadRequest);
    response.Content = new ObjectContent(typeof(PostOrderErrors), errors,
        GlobalConfiguration.Configuration.Formatters.XmlFormatter);
    throw new HttpResponseException(response);
}

...with the response class like this:

public class PostOrderErrors
{
    public List<string> XmlValidationErrors { get; set; }
    //...
}

That seems to work and the response looks like this then:

HTTP/1.1 400 Bad Request
Content-Type: application/xml; charset=utf-8

<PostOrderErrors xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <XmlValidationErrors>
        <string>Some error text...</string>
        <string>Another error text...</string>
    </XmlValidationErrors>
</PostOrderErrors>
Laresa answered 6/8, 2012 at 10:43 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.