International SOA World Conference & Expo

SOA in the Cloud Expo

Subscribe to SOA in the Cloud Expo: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get SOA in the Cloud Expo: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


SOA World Expo Authors: Mark O'Neill, Jason Bloomberg, Trevor Parsons, Jyoti Bansal, Liz McMillan

Related Topics: Intel XML, XML Magazine, SOA Best Practices Digest, SOA & WOA Magazine, SOA in the Cloud Expo, CIO/CTO Update

Blog Feed Post

JSON Schema Validation for RESTful Web Services

JavaScript Object Notation is increasingly being considered as an alternative to XML

In the article "The importance of threat protection for restful web services", I presented a number of content-based threats for XML. When protecting an endpoint from XML based attacks, not only are payloads scanned for code injections, malicious entity declarations and parser attacks, XML documents are actually validated against strict schemas that clearly describe expected document structures. Enforcing this type of compliance at the edge, in a SOA gateway for example, minimizes the risk of attacks of the Web service endpoint. Structure definition languages such as XML Schema Definition (XSD), schematron, XPath are all helpful tools in describing the type of data and structure of XML documents that are expected at runtime.

JavaScript Object Notation (JSON) is increasingly being considered as an alternative to XML and already established as the preferred content-type for many RESTful Web services and APIs. JSON-enabled services that receive content from external sources are subjected to similar message level threats as XML based web services. The need for validation of JSON payload structures is an essential component of perimeter threat protection for JSON capable environments. An existing schema language specification for JSON named JSON Schema uses concepts similar as XSD to provide JSON structure definition. Also worth nothing is an alternative named Orderly which proposes a different specification using leaner syntax.

A number of recent posts illustrated the use of the SecureSpan SOA Gateway for the protection of RESTful Web services. In How to secure REST and JSON, Scott illustrated how to virtualize a REST API service, how to authenticate and authorize requesters, provide confidentiality, validate incoming query parameters, block code injections, and more. In addition to this, consider the SecureSpan JSON Schema validation assertion which can be incorporated in SecureSpan policies. In the service policy illustrated below, PUT requests are inspected for proper JSON structure using this assertion.

This assertion’s properties allow the administrator to provide a JSON Schema for runtime validation. See below a simple JSON Schema loaded in the assertion’s properties.

For testing this policy, we can PUT requests to this service using the Firefox REST Client plugin. This lets us verify that only JSON stuctures that comply with the JSON Schema are accepted.

Test 1 – Sending a JSON payload that conforms to the JSON Schema.

Test 2 – Sending a JSON payload that violates the JSON Schema prescribed structure.

The ability to validate incoming JSON payloads at the perimeter, in an isolated and secured environment is another example of SecureSpan’s value in securing RESTful environments.

More Stories By Francois Lascelles

As Layer 7’s Chief Architect, Francois Lascelles guides the solutions architecture team and aligns product evolution with field trends. Francois joined Layer 7 in the company’s infancy – contributing as the first developer and designing the foundation of Layer 7’s Gateway technology. Now in a field-facing role, Francois helps enterprise architects apply the latest standards and patterns. Francois is a regular blogger and speaker and is also co-author of Service-Oriented Infrastructure: On-Premise and in the Cloud, published by Prentice Hall. Francois holds a Bachelor of Engineering degree from Ecole Polytechnique de Montreal and a black belt in OAuth. Follow Francois on Twitter: @flascelles

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.