Defining the AcceptPO Web Method

Server-Side Validation

Throughout this chapter, I create a definition for a strongly typed PurchaseOrder XML datatype. I also create a strongly typed interface for the AcceptPO Web method. You might be surprised by the fact that the ASP.NET runtime will not validate incoming requests against the schema I have so painstakingly created. For example, the following SOAP request message will be parsed by the ASP.NET runtime without throwing an exception.

<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap=http://schemas.xmlsoap.org/soap/envelope">     <soap:Body>     </soap:Body> </soap:Envelope>

As you can see, the elements and attributes that are not allowed to be null are not contained within the preceding document. However, the document will be accepted and deserialized by the ASP.NET runtime. This is an obvious problem because you cannot count on the ASP.NET runtime to perform any validation on your behalf.

One way to overcome this problem is to validate each of the objects and their associated properties after the ASP.NET runtime deserializes the request message. This doesn't sound like much fun. Instead of writing my own validation code, I can leverage the XML DOM to do it for me.

I could write a SOAP Extension that would validate the XML request against the schema advertised in the Web service's WSDL document. Such an extension could intercept the stream before it is deserialized by the runtime. It could then initialize the DOM with the schemas section of the WSDL document and then attempt to load the document. If the DOM throws an exception, the exception could be packaged in an instance of a SoapException and then returned to the client.