For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Greg_33558's avatar
Greg_33558
Icon for Nimbostratus rankNimbostratus
Aug 27, 2013

How to support multiple XML schemas in ASM?

We have an XML-over-HTTP web service which we are attempting to protect with the ASM. The problem I am finding is that there are multiple versions of the API, each of which has minor incompatibilities with the others. The backend application reads the Content-Type HTTP header (something like "application/com.foobar.api-v2+xml"), determines that this is version 2 of the XML API, and parses it accordingly. But the next request to come in might be from a customer running version 6 of the API; that will be encoded in the Content-Type header as "application/com.foobar.api-v6+xml". The application handles it; the ASM does not.

 

How can I support multiple XML schemas in use for the same URI and parameters? I can associate a single XML profile with either of those, but not multiple XML profiles. I don't appear to be allowed multiple XML schemas for a single URL in a single XML profile. There doesn't appear to be a way to associate an XML profile with an HTTP header as there are for URIs and parameters.

 

ASM Advanced WAF
design
schema
security
xml

3 Replies

  • gowenfawr's avatar
    gowenfawr
    Icon for Nimbostratus rankNimbostratus
    Aug 29, 2013

    I figured it out. Header-Based Content Profiles in the Allowed URL Properties:

     

     

    Just enter multiple entries for (in my case) Content-Type as the Request Header Name and the different version tags go into the Request Header Value. Parse as XML, and use a different XML Profile with each. Each XML Profile has a different version .XSD attached to it. So, if the ASM sees HTTP header "Content-Type: application/com.foobar.api-v2+xml", it will use the provision_api_v2 profile which uses v2 of the XML XSD when parsing it.

     

    Can be verified by the ASM request logs - if there is an XML schema violation and you click for details, it will list the XML Profile that was used when determining the violation:

     

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 29, 2013

    as you are using a HTTP class profile (i assume unless you are using v11.4+) to send traffic towards the ASM can't you use multiple HTTP class profiles that based on header content send to different ASM profiles and thus different XML schemas.