cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r814162 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html
Date Mon, 23 Apr 2012 22:48:17 GMT
Author: buildbot
Date: Mon Apr 23 22:48:17 2012
New Revision: 814162

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/security.html
==============================================================================
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Mon Apr 23 22:48:17 2012
@@ -124,7 +124,7 @@ Apache CXF -- Security
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
Securing CXF Services </span></p>
 
 <div>
-<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a
shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a
shape="rect" href="#Security-WSSecurity">WS-* Security</a></li><li><a
shape="rect" href="#Security-Authentication">Authentication</a></li><li><a
shape="rect" href="#Security-WSSecurityUsernameTokenandCustomAuthentication">WS-Security
UsernameToken and Custom Authentication</a></li><li><a shape="rect" href="#Security-Authorization">Authorization</a></li></ul></div>
+<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a
shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a
shape="rect" href="#Security-WSSecurity">WS-* Security</a></li><li><a
shape="rect" href="#Security-Authentication">Authentication</a></li><li><a
shape="rect" href="#Security-WSSecurityUsernameTokenandCustomAuthentication">WS-Security
UsernameToken and Custom Authentication</a></li><li><a shape="rect" href="#Security-Authorization">Authorization</a></li><li><a
shape="rect" href="#Security-ControllingthedepthofXMLpayloads">Controlling the depth of
XML payloads</a></li></ul></div>
 
 <h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1>
 
@@ -229,7 +229,50 @@ Apache CXF -- Security
 <span class="code-tag">&lt;/bean&gt;</span>
 
 </pre>
-</div></div> </div>
+</div></div> 
+
+<h1><a shape="rect" name="Security-ControllingthedepthofXMLpayloads"></a>Controlling
the depth of XML payloads</h1>
+
+<p>Endpoints expecting XML payloads may get <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java">DepthRestrictingInterceptor</a>
registered and configured in order to control the limits a given XML payload may not exceed.
This can be useful in a variety of cases in order to protect against massive payloads which
can potentially cause the denial-of-service situation or simply slow the service down a lot.</p>
+
+<p>The complete number of XML elements, the number of immediate children of a given
XML element may contain and the stack depth of the payload can be restricted, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-xml">
+
+<span class="code-tag">&lt;bean id=<span class="code-quote">"depthInterceptor"</span>
class=<span class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>&gt;</span>
+  <span class="code-tag"><span class="code-comment">&lt;!-- Total number
of elements in the XML payload --&gt;</span></span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"elementCountThreshold"</span>
value=<span class="code-quote">"5000"</span>/&gt;</span>
+
+  <span class="code-tag"><span class="code-comment">&lt;!-- Total number
of child elements for XML elements --&gt;</span></span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"innerElementCountThreshold"</span>
value=<span class="code-quote">"3000"</span>/&gt;</span>
+
+  <span class="code-tag"><span class="code-comment">&lt;!-- Maximum stack
depth of the XML payload --&gt;</span></span>
+  <span class="code-tag">&lt;property name=<span class="code-quote">"innerElementLevelThreshold"</span>
value=<span class="code-quote">"20"</span>/&gt;</span>
+
+<span class="code-tag">&lt;/bean&gt;</span>
+
+<span class="code-tag">&lt;jaxws:endpoint&gt;</span>
+  <span class="code-tag">&lt;jaxws:inInterceptors&gt;</span>
+   <span class="code-tag">&lt;bean ref=<span class="code-quote">"depthInterceptor"</span>/&gt;</span>
+ <span class="code-tag">&lt;/jaxws:inInterceptors&gt;</span>
+<span class="code-tag">&lt;jaxws:endpoint&gt;</span>
+
+<span class="code-tag">&lt;jaxrs:server&gt;</span>
+  <span class="code-tag">&lt;jaxrs:inInterceptors&gt;</span>
+   <span class="code-tag">&lt;bean ref=<span class="code-quote">"depthInterceptor"</span>/&gt;</span>
+ <span class="code-tag">&lt;/jaxrs:inInterceptors&gt;</span>
+<span class="code-tag">&lt;jaxrs:server&gt;</span>
+
+</pre>
+</div></div>
+
+<p>When one of the limits is reached, the error is returned. JAX-WS consumers will
receive 500, JAX-RS/HTTP consumers: 413.</p>
+
+<p>The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold"
and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p>
+
+<p>Finally, default JAX-RS org.apache.cxf.jaxrs.provider.JAXBElementProvider and JAXB-based
org.apache.cxf.jaxrs.provider.json.JSONProvider can be directly configured with <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java">DepthRestrictingProperies</a>.</p>
+</div>
            </div>
            <!-- Content -->
          </td>



Mime
View raw message