Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Dushan, It is an optional mediator. We haven't touched the core (not a single line) We will provide the performance results on Monday. thanks, Dimuthu On Mon, Jan 15, 2018 at 10:26 PM, Dushan Abeyruwan wrote: > Hi > Pls provide the diff of the changes you have done. > >

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Pls provide the diff of the changes you have done. @ESB Team / PPT experts, since there are PPT level changes you need keep watch on performance impact, memory blueprint impact, how the heap usage varies per message size since (smallest to the largest) + per how the behavior for complex

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

On Fri, Jan 12, 2018 at 3:21 PM, Hasunie Adikari wrote: > Hi all, > > I encounter an issue while writing a unit test to clone the input stream. > I implemented the cloning method[1] a way that gets the input stream from > the passthrough pipe. As I discussed with the EI team,

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi all, I encounter an issue while writing a unit test to clone the input stream. I implemented the cloning method[1] a way that gets the input stream from the passthrough pipe. As I discussed with the EI team, We can't mock the pipe and also there were some obstacles for creating the pipe and I

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi all, As I discussed with Isuru, There are some possible approaches to overcome the issue. 1. Create a new pass through pipe. - The data will be written to the pipe by a spawned thread and current thread will be consuming the data and continuing the message flow. We went through the pipe

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi All, I am ok as long as we are invoking a method and not copying. thanks, Dimuthu On Tue, Jan 9, 2018 at 4:41 PM, Isuru Udana wrote: > Hi Hasunie, > > As we discussed, setting the PassThroughConstants.BUFFERED_INPUT_STREAM > has no effect on the flow in this case and

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Hasunie, As we discussed, setting the PassThroughConstants.BUFFERED_INPUT_STREAM has no effect on the flow in this case and Passthough Sender still seek content from the original input stream which got empty due to this cloning logic. That's the reason for this behaviour. Thanks. On Tue,

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Isuru, As we discussed, I cloned the input stream by consuming the passthrough pipe as in below. if (pipe != null) { bufferedInputStream = new BufferedInputStream(pipe.getInputStream()); } ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(); byte[]

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Hasunie, Current PTT design would build the message whenever if there is content aware mediator available. However IIRC, I did this *message.builder.the invoked* thing to cope with the WSO2 ELB we had (a few years ago). To be honest, that looks ugly isn it (in terms of overall picture).

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Hasunie, This is expected since the synapse engine now expecting an already built message. If I understood your requirement correctly, one option is to use a Builder Mediator before using any content aware mediator. Even though we do not recommend the Builder mediators now, still we can use it

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Isuru, Here we are trying to avoid building the message in gateway itself since building the entire malicious payload may lead gateway crashes. Instead of counting limits after building the tree, We manually build the message through third-party library and parser will keep counting nodes

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Dushan, On Wed, Jan 3, 2018 at 9:06 AM, Dushan Abeyruwan wrote: > Hi Hasunie, > Current PTT design would build the message whenever if there is content > aware mediator available. However IIRC, I did this *message.builder.the > invoked* thing to cope with the WSO2 ELB we

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Hasunie, Are we gaining a significant performance improvement in this approach by making mediators content-unaware ? To perform these validations messages should be built and we are internally using woodstox in our builders too. At mediator level generally we shouldn't mess-up with

[Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi all, I'm working on threat protector feature in APIM. We're actually trying to achieve here is to protect both backend resources and gateway from the XML and JSON based attacks. The Balerina based APIM 3 gateway will be protected by threat handlers. But In here APIM 2.1.x we have implemented