Tutorial: Membrane Router as SOAP Firewall
This tutorial describes how to use Membrane Router as application level gateway, so that SOAP messages from the internet are forwarded via a DMZ into the internal network. It is the routers task to make sure that only the right messages are routed into the internal network. For this tutorial you need a Membrane Monitor distribution and a direct internet connection. Membrane Monitor contains also Membrane Router, so only one installation is needed. The monitor GUI is used in this tutorial to create the rulebase for the router. In this tutorial messages to your local computer should be forwarded to a banking code web service running on the internet. In figure X you can see the banking code service on the right side. The service is running on port 80 at the host thomas-bayer.com . Membrane router is listening also on port 80 on a different host. For the consumer on the left side it looks like the service is running on the host in the middle. The steps described below will guide you for the setup of the router.
1. Starting Membrane Monitor
Unzip the Membrane Monitor archive at any folder. Open a command line and navigate into the unzipped folder.
Start the monitor by executing the run.bat script.
The monitor window should open now.
2. Adding a rule for SOAP and WSDL
Click on Add Rule in the Rule menu.
Fill out the Add Rule Dialog as shown in figure 3.
The * in the method listbox accepts any HTTP method. So the rule fires for SOAP messages that are sent via POST and fires also for WSDL documents requested by a GET method. For the target you can use the public banking code service if you have direct internet access. Click on Add Rule. Now you should see the rule details as shown in figure 4.
To test the rule we try to access the WSDL document of the banking code service by requesting the following URL with a Web browser.
If everything is fine the browser should display the WSDL document. See figure 5.
Have a look at the port elements at the end of the WSDL document. The BLZ Service has three ports. We are interested in the SOAP 1.1 Port named BLZServiceSOAP11port_http only. The URL in the location attribute is now pointing to localhost instead of www.thomas-bayer.com. See listing 1.
<service name='BLZService'> <port name='BLZServiceSOAP11port_http' binding='tns:BLZServiceSOAP11Binding'> <soap:address location='http://localhost:80/axis2/services/BLZService' /> </port> </service>
Localhost as endpoint location will only work if you run a client from the same computer. To make the service accessable from other computers the endpoint URL has to be changed to the hostname of the computer Membrane Monitor is running on. Membrane Monitor changes the hostname of the endpoint location in the WSDL document to the name of the host we have requested.
<service name='BLZService'> <port name='BLZServiceSOAP11port_http' binding='tns:BLZServiceSOAP11Binding'> <soap:address location='http://dffd4q3j:2000/axis2/services/BLZService' /> </port> </service>
To test the Membrane Router configuration we invoke the BLZ Service using the soapUI tool. First we create a new WSDL project. Then we create a new request. As a value for blz we can use 66762332 for example. After sending the request we should get back a response message as shown in figure 6.
Now, let's have a look at the GUI of the monitor. The previously created rule should have captured two messages. One for the WSDL requested from soapUI and a message to the service.
Now, we have successfully created and tested a forwarding rule for the BLZService.
Using Membrane Router
For production we do not need the graphical userinterface. We can use Membrane SOAP Router instead. To use the rule in the router we save the configuration. Click on the file menu and then on Save. Use dmz-proxy.xml as filename. Listing 4 shows the content of the file.
<configuration> <rules> <rule host="*" port="2000" path="/axis2/" method=" * "> <targetport>80</targetport> <targethost>thomas-bayer.com</targethost> </rule> </rules> <format> <adjustContentLength>true</adjustContentLength> <indentMessage>true</indentMessage> <adjustHostHeader>true</adjustHostHeader> </format> </configuration>
The following command line shows how to start Membrane router using the previously saved routing configuration.
C:\java\membrane-router-0.9.4>bin\memrouter -c dmz-proxy.xml
The router distribution includes the sample configuration for the BLZ Service. So you can start the router with:
C:\java\membrane-router-0.9.4>bin\memrouter -c samples\blz-service-rules.xml