Search This Blog

11 November 2010

AIF surprises with verbose responses...

The title could also be "AIF security whole", but I choosed the understatement ;-)

Using QueryCriteria to filter can result in returning all data it you do an error in your request. To describe this, lets take the standard AddressService and do a find request by using the FileSystemAdapter. Here's a correct requst example:


 

  {DD112222-0306-1220-0001-DD33444455DD}
  DYNAMICS\Administrator
  Sample
  Contoso
  http://schemas.microsoft.com/dynamics/2008/01/services/AddressService/find
  
 

 
  

 
  Address
  Name
  Equal
  Sit*

Now the QueryCriteria does contain an error (I removed the CriteriaElement):


 

  {DD112222-0306-1220-0001-DD33444455DD}
  DYNAMICS\Administrator
  Sample
  Contoso
  http://schemas.microsoft.com/dynamics/2008/01/services/AddressService/find
  
 

 
  

  Address
  Name
  Equal
  Sit*

Normally this cannot be validated because it is not conform to the schema
defined in the QueryCriteria.xsd. The QueryCriteria elemet riquires to have at least one CriteriaElement:

But instead of not validating the document of the request, AIF decides to return all data. This behavior can be reproduced on any standard or custom AIF document service.

It is very likely that the Aif-services do not validate incoming Xml messages (as it is configurable for outgoing messages!) for performance reasons, but it should be possible to configure this nevertheless.
Publié par à l'adresse No comments:
Libellés :

08 November 2010

Dyanmics Ax 2009 AIF message

Here is a simple schema of the AIF message structure based on the Dynamics Ax 2009 AIF Xsd-schemas:The two principle elements of an AIF message are the message header and the message body.
All elements in the schema with exception of the "any" element (part of the message body) are explicitly defined by a Microsoft namespace (like http://schemas.microsoft.com/dynamics/...). The custom schema (by default deduced from the document underlying query) need to be explicitly defined by its own namespace. A namespace will define the service by default by its editor (like schemas.microsoft.com), its version (defined by its creation date: yyy/mm) and its purpose: the name of the service. This might be for example: http://yourcompany.com/2010/11/services/YourCustomService
The AIF actions are associated to the namespace of the message. A message header might for example look like this:

        {3B7C23AB-B0EF-4C35-8DC6-481574080F62}
        Default
        Default
        http://yourcompany.com/2010/11/services/YourCustomService/read
        {C8111B69-9786-4BB4-9A03-D0BE847F4C3C}
Publié par à l'adresse No comments:
Libellés :
Subscribe to: Posts (Atom)