Tutorial: Membrane Router as SOAP Firewall

This tutorial describes how to use Membrane as application level gateway, so that SOAP messages from the internet are forwarded via a DMZ into the internal network. It is the routers task to make sure that only the right messages are routed into the internal network. In figure 1 you can see how Membrane Router can work as a layer 7 firewall for Web Services. Membrane is running on port 80 inside the DMZ is therefore visible to clients over the Internet. It seems that all Web Services are hosted on the computer www.predic8.de, but requests are routed to the services located at the internal network.

Figure 1: DMZ with Application Level Gateway

Figure 2: Membrane between Consumer and Producer

1. Starting Membrane Monitor

Unzip the Membrane Monitor archive at any folder and click on membrane-monitor.exe. Now, the monitor window should open.

2. Adding a Proxy for SOAP and WSDL

Click on Add Proxy in the proxies menu.

Figure 3: Add Proxy

Select Advanced Service Proxy as shown in figure 4 and click on next.

Figure 4: Proxy Selection Dialog

Fill out the Dialog as shown in figure 5.

Figure 5: Advanced Proxy Settings

Figure 6: Add BLZ Rule

By using the All methodes constant in the method listbox any HTTP method is accepted. So the proxy is responsable for SOAP messages that are sent via POST and also for WSDL documents requested by a GET method. For the target you can use the public banking code service if you have direct internet access. Click on Finish. Now you should see the service proxy as shown in figure 7.

Figure 7: Service Proxy Added

To test the rule we try to access the WSDL document of the banking code service by requesting the following URL with a Web browser.

http://localhost/axis2/services/BLZService?wsdl

If everything is fine the browser should display the WSDL document. See figure 8.

Figure 8: WSDL File in Browser

Figure 9: WSDL Exchange

Have a look at the port elements at the end of the WSDL document. The BLZ Service has three ports. We are interested in the SOAP 1.1 Port named BLZServiceSOAP11port_http only. The URL in the location attribute is now pointing to www.thomas-bayer.com. See listing 1.

    <service name='BLZService'>
      <port name='BLZServiceSOAP11port_http' binding='tns:BLZServiceSOAP11Binding'>
        <soap:address location='http://www.thomas-bayer.com/axis2/services/BLZService' />
      </port>
    </service>

If we use that WSDL in a client, the client will connect directly to the service instead of connecting to Membrane. To make the client to connect to Membrane the endpoint location must be rewritten.

Open the Edit Dialog by selecting the proxy in the Proxies view and clicking on the 'Edit' button. Switch to XMLConfiguration tab. In the text area of the tab component you will see an XML representation of the proxy configuration. Add a new <wsdlRewriter/> element as a child-element of the <serviceProxy/> as shown on the Figure 10.

Figure 10: Add WSDL Rewriter

Click OK button to complete editing and apply changes.

Reload WSDL in your browser. You will see that the address location of the service is rewritten. Look at the next listing:

    <service name='BLZService'>
      <port name='BLZServiceSOAP11port_http' binding='tns:BLZServiceSOAP11Binding'>
        <soap:address location='http://localhost:80/axis2/services/BLZService' />
      </port>
    </service>

Localhost as endpoint location will only work if you run a client from the same computer. To make the service accessable from other computers the endpoint URL has to be changed to the hostname of the computer Membrane Monitor is running on. Membrane Monitor changes the hostname of the endpoint location in the WSDL document to the name of the host we have requested.

    <service name='BLZService'>
      <port name='BLZServiceSOAP11port_http' binding='tns:BLZServiceSOAP11Binding'>
        <soap:address location='http://[requested_hostname]:80/axis2/services/BLZService' />
      </port>
    </service>

To test the configuration we invoke the BLZ Service using the soapUI tool. First we create a new WSDL project. Then we create a new request. As a value for blz we can use 66762332 for example. After sending the request we should get back a response message as shown in figure 6.

Figure 11: Testing the SOAP Router with the soapUI Tool

Now, let's have a look at the GUI of the monitor. The previously created rule should have captured two messages. One for the WSDL requested from soapUI and a message to the service.

Figure 12: Membrane

Now, we have successfully created and tested a forwarding proxy for the BLZService.

Using Membrane ESB

For production we do not need the graphical userinterface. We can use Membrane ESB instead. To use the rule in the router we save the configuration. Click on the file menu and then on Save. Use dmz.proxies.xml as filename. Listing 3 shows the content of the file.

  <proxies>
    <serviceProxy name="" port="80">
    <path isRegExp="false">/axis2/</path>
    <response>
      <wsdlRewriter />
    </response>
    <target host="thomas-bayer.com" port="80" />
    </serviceProxy>
    <global>
      <router adjustHostHeader="true"
        adjustContentLength="true" />
      <monitor-gui indentMessage="true"
        autoTrack="false" />
    </global>
  </proxies>
			

The following command line shows how to start Membrane router using the previously saved routing configuration.

    C:\membrane-esb-x.x.x>bin\memrouter -c dmz.proxies.xml
    

The ESB distribution includes the sample configuration for the BLZ Service. So you can also start the router with:

    C:\membrane-esb-x.x.x>bin\memrouter -c samples\blz-service-rules.xml