Airlock SOAP/XML filter

Airlock's main functionality is to protect Web applications by filtering HTTP and HTTPS data streams for web attacks. With the add-ons XML Filter and SOAP Filter, a further layer of protocol validation can be added to protect Web services using SOAP or native XML data streams. Those modules protect against XEE and XXE attacks - known as DTD attacks or XML bombs.

XML-Filter

The Airlock module XML Filter is able to validate native XML data streams against their predefined XML schemas. Multiple XML schemas may be linked to both requests and responses. XML Filter will validate configured requests and responses against those XML schemas. At least one validation has to be successfull to pass Airlock.

SOAP-Filter

The Airlock module SOAP Filter is able to validate SOAP messages against their predefined WSDL files. Multiple WSDL files can be linked to one back-end Web service.

Customer-specific Java filters can be written and attached to each parameter in both the request and the response of a SOAP message. Please read the appropriate section in the SOAP Filter manual attached to this article for further information on implementing such a filter.

WS-Security is not supported by SOAP Filter at this time, but may be added in a future release of the module. Until then, please take care to not sign nor encrypt parts of a SOAP message. Use SSL client certificates instead to build trust between the client and Airlock and between Airlock and the back-end Web service.

XML over SOAP

The module XML Over SOAP is a filter add-on for the SOAP Filter. With this module, a specific parameter in a SOAP message either in the request or in the response can be declared as beeing an XML data stream. This XML data stream then can be validated against one or more XML schemas. At least one validation has to be successfull for the data streamt to be passed to the Back-end Web Service (request) or back to the client (response).

Installing SOAP/XML filters in Airlock

XML Filter and SOAP Filter are both implemented as Java servlets . They both connect to Airlock through Airlock's ICAP interface. ICAP is a standard interface to for filters like virus scanners, data leakage prevention systems and simililar technology avaliable to gateways.

Please ensure that your Airlock license includes the use of ICAP.

XML Over SOAP is a module that is plugged into SOAP Filter as an additional Java archive. XML Over SOAP is not able to run without SOAP Filter. To filter XML data outside of SOAP, use the XML Filter.

XML Filter and SOAP Filter can be deployed in any standard Java Servlet container like Tomcat, BEA WebLogic or IBM WebSphere.

Download

For getting access to the filter modules please contact Airlock Support. The documentation is available here.