Author: buildbot Date: Mon Apr 23 22:48:17 2012 New Revision: 814162 Log: Production update by buildbot for cxf
Modified: websites/production/cxf/content/cache/docs.pageCache websites/production/cxf/content/docs/security.html Modified: websites/production/cxf/content/cache/docs.pageCache ============================================================================== Binary files - no diff available. Modified: websites/production/cxf/content/docs/security.html ============================================================================== --- websites/production/cxf/content/docs/security.html (original) +++ websites/production/cxf/content/docs/security.html Mon Apr 23 22:48:17 2012 @@ -124,7 +124,7 @@ Apache CXF -- Security <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> Securing CXF Services </span></p> <div> -<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect" href="#Security-WSSecurity">WS-* Security</a></li><li><a shape="rect" href="#Security-Authentication">Authentication</a></li><li><a shape="rect" href="#Security-WSSecurityUsernameTokenandCustomAuthentication">WS-Security UsernameToken and Custom Authentication</a></li><li><a shape="rect" href="#Security-Authorization">Authorization</a></li></ul></div> +<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect" href="#Security-WSSecurity">WS-* Security</a></li><li><a shape="rect" href="#Security-Authentication">Authentication</a></li><li><a shape="rect" href="#Security-WSSecurityUsernameTokenandCustomAuthentication">WS-Security UsernameToken and Custom Authentication</a></li><li><a shape="rect" href="#Security-Authorization">Authorization</a></li><li><a shape="rect" href="#Security-ControllingthedepthofXMLpayloads">Controlling the depth of XML payloads</a></li></ul></div> <h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1> @@ -229,7 +229,50 @@ Apache CXF -- Security <span class="code-tag"></bean></span> </pre> -</div></div> </div> +</div></div> + +<h1><a shape="rect" name="Security-ControllingthedepthofXMLpayloads"></a>Controlling the depth of XML payloads</h1> + +<p>Endpoints expecting XML payloads may get <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java">DepthRestrictingInterceptor</a> registered and configured in order to control the limits a given XML payload may not exceed. This can be useful in a variety of cases in order to protect against massive payloads which can potentially cause the denial-of-service situation or simply slow the service down a lot.</p> + +<p>The complete number of XML elements, the number of immediate children of a given XML element may contain and the stack depth of the payload can be restricted, for example:</p> + +<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> +<pre class="code-xml"> + +<span class="code-tag"><bean id=<span class="code-quote">"depthInterceptor"</span> class=<span class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>></span> + <span class="code-tag"><span class="code-comment"><!-- Total number of elements in the XML payload --></span></span> + <span class="code-tag"><property name=<span class="code-quote">"elementCountThreshold"</span> value=<span class="code-quote">"5000"</span>/></span> + + <span class="code-tag"><span class="code-comment"><!-- Total number of child elements for XML elements --></span></span> + <span class="code-tag"><property name=<span class="code-quote">"innerElementCountThreshold"</span> value=<span class="code-quote">"3000"</span>/></span> + + <span class="code-tag"><span class="code-comment"><!-- Maximum stack depth of the XML payload --></span></span> + <span class="code-tag"><property name=<span class="code-quote">"innerElementLevelThreshold"</span> value=<span class="code-quote">"20"</span>/></span> + +<span class="code-tag"></bean></span> + +<span class="code-tag"><jaxws:endpoint></span> + <span class="code-tag"><jaxws:inInterceptors></span> + <span class="code-tag"><bean ref=<span class="code-quote">"depthInterceptor"</span>/></span> + <span class="code-tag"></jaxws:inInterceptors></span> +<span class="code-tag"><jaxws:endpoint></span> + +<span class="code-tag"><jaxrs:server></span> + <span class="code-tag"><jaxrs:inInterceptors></span> + <span class="code-tag"><bean ref=<span class="code-quote">"depthInterceptor"</span>/></span> + <span class="code-tag"></jaxrs:inInterceptors></span> +<span class="code-tag"><jaxrs:server></span> + +</pre> +</div></div> + +<p>When one of the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413.</p> + +<p>The following system properties can also be set up for JAX-WS endpoints: "org.apache.cxf.staxutils.innerElementCountThreshold" and "org.apache.cxf.staxutils.innerElementLevelThreshold".</p> + +<p>Finally, default JAX-RS org.apache.cxf.jaxrs.provider.JAXBElementProvider and JAXB-based org.apache.cxf.jaxrs.provider.json.JSONProvider can be directly configured with <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java">DepthRestrictingProperies</a>.</p> +</div> </div> <!-- Content --> </td>