Problem

The API Gateway appears not to be performing schema validation on the incoming SOAP Request. An invalid request was sent containing 2 SOAP bodies but the request wasn't failed before it was sent on to the backend server.

Answer

The API Gateway by default does not schema validate the entire incoming SOAP Request XML message. The validation that is performed is a check on the SOAP namespace used in the message. i.e. the <SOAP:Envelope>, the service handler filter will check what SOAP version the "SOAP" prefix is bound to and it will make sure it matches the correct one in the binding in the WSDL (SOAP 1.1 or SOAP 1.2). Therefore it only checks the SOAP Version 1.1 or 1.2 but it does not schema validate the entire request against either the SOAP 11 or SOAP 12 schema.

Resolution

A Schema Validation filter should be added either before the Service Handler or in global policy. As an example see the "Must be SOAP 1.1 message" in the sample "XML Threat Policy".

A request with 2 bodies will fail with the following error :-

ERROR 10/Feb/2015:07:44:57.600 [aef16940] XSD validation failed
ERROR 10/Feb/2015:07:44:57.600 [aef16940] cvc-complex-type.2.4.a: Invalid content was found starting with element 'soapenv:Header'. One of '{"http://schemas.xmlsoap.org/soap/envelope/":Body}' is expected.

The error can be returned to the client via a SOAP fault – see https://support.axway.com/en/articles/article-details/id/163231.