security.html

buildbot Mon, 22 Jul 2013 09:58:49 -0700

Author: buildbot
Date: Mon Jul 22 15:48:01 2013
New Revision: 870602

Log:
Production update by buildbot for cxf


Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/security.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/security.html
==============================================================================
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Mon Jul 22 15:48:01 2013
@@ -130,7 +130,7 @@ Apache CXF -- Security
 <div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> 
Securing CXF Services </span></p>
 
 <div>
-<ul><li><a shape="rect" href="#Security-Securetransports">Secure 
transports</a></li><ul><li><a shape="rect" 
href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect" 
href="#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-*
 Security (including UsernameToken and X.509 Token profiles)</a></li><li><a 
shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a 
shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a 
shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect" 
href="#Security-Authentication">Authentication</a></li><ul><li><a shape="rect" 
href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a 
shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a 
shape="rect" href="#Security-Authorization">Authorization</a></li><li><a 
shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large 
Request Payloads</a></li><ul><li><a shape="rect" 
href="#Security-XML">XML</a></li
 ><li><a shape="rect" 
 >href="#Security-Multiparts">Multiparts</a></li></ul><li><a shape="rect" 
 >href="#Security-Largedatastreamcaching">Large data stream 
 >caching</a></li></ul></div>
+<ul><li><a shape="rect" href="#Security-Securetransports">Secure 
transports</a></li><ul><li><a shape="rect" 
href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect" 
href="#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-*
 Security (including UsernameToken and X.509 Token profiles)</a></li><li><a 
shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a 
shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a 
shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect" 
href="#Security-Authentication">Authentication</a></li><ul><li><a shape="rect" 
href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a 
shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a 
shape="rect" href="#Security-Authorization">Authorization</a></li><li><a 
shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large 
Request Payloads</a></li><ul><li><a shape="rect" 
href="#Security-XML">XML</a></li
 ><li><a shape="rect" href="#Security-XMLCXFversionspriorto2.7.4">XML - CXF 
 >versions prior to 2.7.4</a></li><li><a shape="rect" 
 >href="#Security-Multiparts">Multiparts</a></li></ul><li><a shape="rect" 
 >href="#Security-Largedatastreamcaching">Large data stream 
 >caching</a></li></ul></div>
 
 <h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1>
 
@@ -260,6 +260,19 @@ Apache CXF -- Security
 
 <h2><a shape="rect" name="Security-XML"></a>XML</h2>
 
+<p>Starting with CXF 2.7.4, CXF now requires use of a StAX parser that can 
provide fine grained control over the size of the incoming XML.   The only 
parser that will currently work is Woodstox 4.2 or newer.   The main reason is 
there are a series of DOS attacks that can only be prevented at the StAX parser 
level.   There is a "org.apache.cxf.stax.allowInsecureParser" System Property 
that can be set to true to allow using an insecure parser, but that is HIGHLY 
not recommended and doing so would also now allow the settings described in 
this section.</p>
+
+<p>CXF has several default settings that will prevent malicious XML from 
causing various DOS failures.   You can override the default values if you know 
you will have incoming XML that will exceed these limits.   These settings can 
be set as Bus level properties, endpoint level properties, or even per request 
via an interceptor. </p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" 
class="confluenceTh">Setting</th><th colspan="1" rowspan="1" 
class="confluenceTh">Default</th><th colspan="1" rowspan="1" 
class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">org.apache.cxf.stax.maxChildElements</td><td colspan="1" 
rowspan="1" class="confluenceTd">50000</td><td colspan="1" rowspan="1" 
class="confluenceTd">Maximum number of child elements for a given parent 
element</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">org.apache.cxf.stax.maxElementDepth</td><td colspan="1" 
rowspan="1" class="confluenceTd">100</td><td colspan="1" rowspan="1" 
class="confluenceTd">Maximum depth of an element</td></tr><tr><td colspan="1" 
rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxAttributeCount</td><td 
colspan="1" rowspan="1" class="confluenceTd">500</td><td colspan="1" 
rowspan="1" class="confluenceTd">Maximum number of attributes on a single 
element</td></
 tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">org.apache.cxf.stax.maxAttributeSize</td><td colspan="1" 
rowspan="1" class="confluenceTd">64K</td><td colspan="1" rowspan="1" 
class="confluenceTd">Maximum size of a single attribute</td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">org.apache.cxf.stax.maxTextLength</td><td colspan="1" 
rowspan="1" class="confluenceTd">128M</td><td colspan="1" rowspan="1" 
class="confluenceTd">Maximum size of an elements text value</td></tr><tr><td 
colspan="1" rowspan="1" 
class="confluenceTd">org.apache.cxf.stax.maxElementCount</td><td colspan="1" 
rowspan="1" class="confluenceTd">Long.MAX_VALUE</td><td colspan="1" rowspan="1" 
class="confluenceTd">Maximum total number of elements in the XML 
document</td></tr><tr><td colspan="1" rowspan="1" 
class="confluenceTd">org.apache.cxf.stax.maxXMLCharacters</td><td colspan="1" 
rowspan="1" class="confluenceTd">Long.MAX_VALUE</td><td colspan="1" rowspan="1" 
class="confluenceTd">Maximum total number 
 of characters parsed by the parser</td></tr></tbody></table>
+</div>
+
+
+
+
+<h2><a shape="rect" name="Security-XMLCXFversionspriorto2.7.4"></a>XML - CXF 
versions prior to 2.7.4</h2>
+
 <p>Endpoints expecting XML payloads may get <a shape="rect" 
class="external-link" 
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java";>DepthRestrictingInterceptor</a>
 registered and configured in order to control the limits a given XML payload 
may not exceed. This can be useful in a variety of cases in order to protect 
against massive payloads which can potentially cause the denial-of-service 
situation or simply slow the service down a lot.</p>
 
 <p>The complete number of XML elements, the number of immediate children of a 
given XML element may contain and the stack depth of the payload can be 
restricted, for example:</p>

svn commit: r870602 - in /websites/production/cxf/content: cache/docs.pageCache docs/security.html

Reply via email to