[
https://issues.apache.org/jira/browse/CXF-7680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16409447#comment-16409447
]
Colm O hEigeartaigh commented on CXF-7680:
------------------------------------------
Could you create a standalone project that I can unzip and run to reproduce the
error? I tried sending a large file inlined to a CXF endpoint and I got the
error (as expected):
Caused by: javax.xml.stream.XMLStreamException: Text size limit (134217728)
exceeded
If the file is BASE-64 encoded, then how come you are not running into the
"maxTextLength" default restriction as above?
> Restrict the size of SOAP message OR allow only MTOM messages
> -------------------------------------------------------------
>
> Key: CXF-7680
> URL: https://issues.apache.org/jira/browse/CXF-7680
> Project: CXF
> Issue Type: Wish
> Components: JAX-WS Runtime, Soap Binding
> Affects Versions: 3.2.2
> Reporter: Nicholas
> Priority: Critical
> Labels: performance, security
>
> I encountered this problem, but couldn't get any help, although hours of
> searching...
> I am developing B2B web services.
> Service is receiving SOAP request where file attachments are encoded in
> base64 format, application works well, except if one of the client decides to
> send very large XML - possibly 500MB of XML data, at this very point my
> application's java heap size grows exponentially and mostly throw
> OutOfMemoryException. So I decided to use MTOM mechanism to send and receive
> messages with large(or several) attachments, application performs well,
> memory-wise, but there is still another problem, server and client, BOTH need
> to enable MTOM messaging, even if it is enabled on server, client can send it
> still with base64 format and server receives without any worries until
> aformentioned exception is thrown. Anyone can create a HUGE xml message that
> can crash my app in seconds. How can I secure my application from these kind
> of malicious service calls.
> Searched a lot, but couldn't find virtually any reliable solution for this.
> So question/problem/wish is:
> 1) How can I restrict the size of SOAP message (only XML part if MTOM).
> OR
> 2) How can I allow only MTOM messages.
> What I found/explored:
> [http://cxf.apache.org/docs/security.html] in the "Controlling Large Request
> Payloads" section there is written about Woodstox parser which can be used to
> restrict XML message by its character sizes, but also written that it's not
> recommended and it's insecure. Even if this was the solution, how would it
> behave in MTOM message.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
