Validate OData Request Assertion
The Validate OData Request assertion is used to validate OData (Open Data Protocol) request messages using the Service Metadata Document (SMD) exposed by an OData service. The resource URI, query string, and (optionally) the payload of the request are analyzed to ensure they are well-formed, adhere to the OData v2.0 specifications, and apply to the target service.
Validate OData Requestassertion is used to validate OData (Open Data Protocol) request messages using the Service Metadata Document (SMD) exposed by an OData service. The resource URI, query string, and (optionally) the payload of the request are analyzed to ensure they are well-formed, adhere to the OData v2.0 specifications, and apply to the target service.
The Validate OData Request assertion supports OData version 2.0.
The OData request may be stored in the default
API Gatewayrequest, response, or in a custom context variable. To learn about selecting the target message for this assertion, see Select a Target Message.
Retrieving the Service Metadata Document
The following sample policy provides an example on how to retrieve and cache the Service Metadata Document:
Notes and Limitations
Observe the following notes about this assertion:
- The assertion will test JSON payloads to ensure their content is suitable for the request type (for example, the request resource URI for a create entry operation points to collection "X", but the entry type described in the message payload is of type "Y") and will fail if it is not suitable. This test is not performed for Atom payloads.
- JSON payloads containing open type entries will fail to validate. This validation failure does not occur with Atom payloads.
- Batch request payloads cannot be validated. Attempting to validate a batch request will cause the assertion to fail.
- Payloads for function import requests cannot be validated.
- All HTTP methods are considered valid for function import requests.
- The Service Metadata Document must be made available in a context variable.
- Matrix parameters in request URIs is not supported and will fail to validate.
- OData versions 3.0 and 4.0 are not supported.
- Validation of requests using method tunnelling is not supported.
Context Variables Created by This Assertion
The Validate OData Request assertion sets the following context variables. Note: The default <prefix> is "odata" and can be changed in the assertion properties.
Context variables created by Validate OData Request assertion
Returns a Boolean value indicating the presence of the count option; example: "true"
Returns the top option value; example, "10"
Returns the filter expression in a multivalued variable; example: "length, CompanyName, 19, eq"
Returns the skip option value; example: "10"
Returns the Orderby expression in a multivalued context variable; example: "Rating, Category, Name, desc"
Returns the Expand expression; example: "Category,Suppliers"
Returns the format media type; example: "json"
Returns the Inlinecount setting; example: "allpages"
Returns the Select expression; exmaple: "Rating,Category,Name"
Returns the custom query options in a multivalued variable; example: ["x=y", "a=b", "f=g"]
Returns the resource path segments in a multivalued variable; example: ["Categories(1)", "$links", "Products"]
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Add an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- Right-clickin the policy window and select<target>:Validate OData RequestOData Request Validation Propertiesor double-click the assertion in the policy window. The assertion properties are displayed.
- Configure the properties as follows:SettingDescriptionService MetadataSpecify a context variable that contains the Service Metadata Document to use for validating the OData request.For more information, see "Retrieving the Service Metadata Document" earlier in this topic.ResourceSpecify the resource URI to validate against the Service Metadata Document, including the query string. You may reference context variables.Ensure the resource URI is correctly encoded from the client.HTTP MethodChoose the HTTP method to use during payload validation. The "<Automatic>" option attempts to locate the method in the HttpRequestKnob in the target message. You may reference a context variable.ActionsFor improved security, following request types are disallowed by default:
Allowed OperationsSelect which OData operations are permitted:
- Allow $metadata request:Select this check box to allow the client to retrieve the metadata document from the service by requesting the$metadataURI.
- Allow $value requests:Select this check box to allow the client to retrieve the raw value of the request target by calling the$valueoperation.
Validate PayloadSelect this check box to validate the message payload against the request URI and the Service Metadata Document.Clear this check box to not validate the message payload.Variable PrefixEnter a prefix that will be added to the context variables created by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.Default:odata
- GET:Allow or deny the OData retrieve operation.
- POST:Allow or deny the OData create operation.
- PUT:Allow or deny the OData update operation.
- DELETE:Allow or deny the OData delete operation.
- MERGE:Allow or deny the OData partial update operation.
- PATCH:Allow or deny the OData partial update operation. This method is synonymous with MERGE.
- Click [OK] when done.