XPath Quantifiers and XML Gateways

About 7 years ago, I tested interop between Intel's NetStructure XML Director appliance (since discontinued) and the Vordel product set. I showed how we could send a signed XML message through the Intel box and have it routed to a Vordel XML Gateway where we validated the XML Signature. The goal was to show that the Intel box would route the XML without "breaking" the XML Signature.

The standard Use Case used in demos of the Netstructure XML Director box was "Here is an Purchase Order in XML. If the total value of the Purchase Order is above $X then we route it to this location. If it is less than $X we route it somewhere else". Although the Intel NetStructure XML Director was discontinued, that use case continues to come up again and again in demos.

This demo often used XPath Quantifiers to total up the Purchase Order at the XML Gateway. This allowed some of the more fancy aspects of XPath to be demo-ed. By "fancy" i mean aspects where you would imagine you'd need a DOM, and therefore you can show a nice speed difference between an appliance and some DOM-using open source software. If you used a simpler example, then a viewer may ask "could that not be optimized in software by avoiding DOM processing?".

However, whatever the motivations behind using this use case, the fact is that it is not often used in real life. I think that people assume that is what XPath processing on an XML Gateway is for. However, that is not the case.

Firstly, if you're making decisions based on Purchase Order value at the XML Gateway, then you are putting business logic out there. This is not necessarily a bad thing [since it will run more fast and more secure on an XML Gateway than on an app server].

However, the most common uses of XPath are:

1) As an underlying technology of WS-Addressing, WS-Security, et al. It is use to selectively pick out the data (e.g. routing locations) which is used for those higher-level standards.
2) To target XML data for encryption. For example, in medical "de-identification" uses of Vordel XML Gateways, we are selectively encrypting "identifying" patient data which we find inside XML messages on the network and at the Web Service endpoint. Xpath is one of the ways to find this identifying information.
3) To target XML data for signing. Here XPath is used to narrow down exactly what part of the message must be signed.
4) In the course of XML Enrichment [the name given to the practice of looking up contextual information which is then embedded into the XML message. For example, one of our mobile telecoms customers uses our XML Gateways to look up subscriber information in databases and directories and then to insert it into XML messages on the fly on the network, using XPath to signifiy the location. Then, the task of looking up this information is offloaded from the application server. It is an example of XML Offload.]

The lesson is that a device doing XPath alone doesn't make a whole lot of sense, even if it does the more fancy aspects of XPath such as quantifiers. We use highly optimized XPath a lot, but as an underlying technology for many higher-level technologies.