Search This Blog

11 November 2010

AIF surprises with verbose responses...

The title could also be "AIF security whole", but I choosed the understatement ;-)

Using QueryCriteria to filter can result in returning all data it you do an error in your request. To describe this, lets take the standard AddressService and do a find request by using the FileSystemAdapter. Here's a correct requst example:

{DD112222-0306-1220-0001-DD33444455DD} DYNAMICS\Administrator Sample Contoso
Address Name Equal Sit*

Now the QueryCriteria does contain an error (I removed the CriteriaElement):

{DD112222-0306-1220-0001-DD33444455DD} DYNAMICS\Administrator Sample Contoso
Address Name Equal Sit*

Normally this cannot be validated because it is not conform to the schema
defined in the QueryCriteria.xsd. The QueryCriteria elemet riquires to have at least one CriteriaElement:




But instead of not validating the document of the request, AIF decides to return all data. This behavior can be reproduced on any standard or custom AIF document service.

It is very likely that the Aif-services do not validate incoming Xml messages (as it is configurable for outgoing messages!) for performance reasons, but it should be possible to configure this nevertheless.

08 November 2010

Dyanmics Ax 2009 AIF message

Here is a simple schema of the AIF message structure based on the Dynamics Ax 2009 AIF Xsd-schemas:The two principle elements of an AIF message are the message header and the message body.
All elements in the schema with exception of the "any" element (part of the message body) are explicitly defined by a Microsoft namespace (like The custom schema (by default deduced from the document underlying query) need to be explicitly defined by its own namespace. A namespace will define the service by default by its editor (like, its version (defined by its creation date: yyy/mm) and its purpose: the name of the service. This might be for example:
The AIF actions are associated to the namespace of the message. A message header might for example look like this:
{3B7C23AB-B0EF-4C35-8DC6-481574080F62} Default Default {C8111B69-9786-4BB4-9A03-D0BE847F4C3C}