[jira] [Resolved] (CXF-7680) Restrict the size of SOAP message OR allow only MTOM messages

Tue, 24 Apr 2018 09:36:23 -0700 

     [ 
https://issues.apache.org/jira/browse/CXF-7680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved CXF-7680.
--------------------------------------
    Resolution: Incomplete
      Assignee: Colm O hEigeartaigh

I need a test-case to reproduce this problem.

> Restrict the size of SOAP message OR allow only MTOM messages
> -------------------------------------------------------------
>
>                 Key: CXF-7680
>                 URL: https://issues.apache.org/jira/browse/CXF-7680
>             Project: CXF
>          Issue Type: Wish
>          Components: JAX-WS Runtime, Soap Binding
>    Affects Versions: 3.2.2
>            Reporter: Nicholas
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>              Labels: performance, security
>
> I encountered this problem, but couldn't get any help, although hours of 
> searching...
> I am developing B2B web services.
> Service is receiving SOAP request where file attachments are encoded in 
> base64 format, application works well, except if one of the client decides to 
> send very large XML - possibly 500MB of XML data, at this very point my 
> application's java heap size grows exponentially and mostly throw 
> OutOfMemoryException. So I decided to use MTOM mechanism to send and receive 
> messages with large(or several) attachments, application performs well, 
> memory-wise, but there is still another problem, server and client, BOTH need 
> to enable MTOM messaging, even if it is enabled on server, client can send it 
> still with base64 format and server receives without any worries until 
> aformentioned exception is thrown.  Anyone can create a HUGE xml message that 
> can crash my app in seconds. How can I secure my application from these kind 
> of malicious service calls.
> Searched a lot, but couldn't find virtually any reliable solution for this.
> So question/problem/wish is:
> 1) How can I restrict the size of SOAP message (only XML part if MTOM).
> OR
> 2) How can I allow only MTOM messages.
> What I found/explored:
> [http://cxf.apache.org/docs/security.html] in the "Controlling Large Request 
> Payloads" section there is written about Woodstox parser which can be used to 
> restrict XML message by its character sizes, but also written that it's not 
> recommended and it's insecure. Even if this was the solution, how would it 
> behave in MTOM message. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to