Author: buildbot
Date: Mon Apr 23 22:48:17 2012
New Revision: 814162
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/security.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/security.html
==============================================================================
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Mon Apr 23 22:48:17 2012
@@ -124,7 +124,7 @@ Apache CXF -- Security
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold">
Securing CXF Services </span></p>
<div>
-<ul><li><a shape="rect" href="#Security-Securetransports">Secure
transports</a></li><ul><li><a shape="rect"
href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect"
href="#Security-WSSecurity">WS-* Security</a></li><li><a shape="rect"
href="#Security-Authentication">Authentication</a></li><li><a shape="rect"
href="#Security-WSSecurityUsernameTokenandCustomAuthentication">WS-Security
UsernameToken and Custom Authentication</a></li><li><a shape="rect"
href="#Security-Authorization">Authorization</a></li></ul></div>
+<ul><li><a shape="rect" href="#Security-Securetransports">Secure
transports</a></li><ul><li><a shape="rect"
href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect"
href="#Security-WSSecurity">WS-* Security</a></li><li><a shape="rect"
href="#Security-Authentication">Authentication</a></li><li><a shape="rect"
href="#Security-WSSecurityUsernameTokenandCustomAuthentication">WS-Security
UsernameToken and Custom Authentication</a></li><li><a shape="rect"
href="#Security-Authorization">Authorization</a></li><li><a shape="rect"
href="#Security-ControllingthedepthofXMLpayloads">Controlling the depth of XML
payloads</a></li></ul></div>
<h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1>
@@ -229,7 +229,50 @@ Apache CXF -- Security
<span class="code-tag"></bean></span>
</pre>
-</div></div> </div>
+</div></div>
+
+<h1><a shape="rect"
name="Security-ControllingthedepthofXMLpayloads"></a>Controlling the depth of
XML payloads</h1>
+
+<p>Endpoints expecting XML payloads may get <a shape="rect"
class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java";>DepthRestrictingInterceptor</a>
registered and configured in order to control the limits a given XML payload
may not exceed. This can be useful in a variety of cases in order to protect
against massive payloads which can potentially cause the denial-of-service
situation or simply slow the service down a lot.</p>
+
+<p>The complete number of XML elements, the number of immediate children of a
given XML element may contain and the stack depth of the payload can be
restricted, for example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent
panelContent">
+<pre class="code-xml">
+
+<span class="code-tag"><bean id=<span
class="code-quote">"depthInterceptor"</span> class=<span
class="code-quote">"org.apache.cxf.interceptor.security.DepthRestrictingStreamInterceptor"</span>></span>
+ <span class="code-tag"><span class="code-comment"><!-- Total number of
elements in the XML payload --></span></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"elementCountThreshold"</span> value=<span
class="code-quote">"5000"</span>/></span>
+
+ <span class="code-tag"><span class="code-comment"><!-- Total number of
child elements for XML elements --></span></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"innerElementCountThreshold"</span> value=<span
class="code-quote">"3000"</span>/></span>
+
+ <span class="code-tag"><span class="code-comment"><!-- Maximum stack
depth of the XML payload --></span></span>
+ <span class="code-tag"><property name=<span
class="code-quote">"innerElementLevelThreshold"</span> value=<span
class="code-quote">"20"</span>/></span>
+
+<span class="code-tag"></bean></span>
+
+<span class="code-tag"><jaxws:endpoint></span>
+ <span class="code-tag"><jaxws:inInterceptors></span>
+ <span class="code-tag"><bean ref=<span
class="code-quote">"depthInterceptor"</span>/></span>
+ <span class="code-tag"></jaxws:inInterceptors></span>
+<span class="code-tag"><jaxws:endpoint></span>
+
+<span class="code-tag"><jaxrs:server></span>
+ <span class="code-tag"><jaxrs:inInterceptors></span>
+ <span class="code-tag"><bean ref=<span
class="code-quote">"depthInterceptor"</span>/></span>
+ <span class="code-tag"></jaxrs:inInterceptors></span>
+<span class="code-tag"><jaxrs:server></span>
+
+</pre>
+</div></div>
+
+<p>When one of the limits is reached, the error is returned. JAX-WS consumers
will receive 500, JAX-RS/HTTP consumers: 413.</p>
+
+<p>The following system properties can also be set up for JAX-WS endpoints:
"org.apache.cxf.staxutils.innerElementCountThreshold" and
"org.apache.cxf.staxutils.innerElementLevelThreshold".</p>
+
+<p>Finally, default JAX-RS org.apache.cxf.jaxrs.provider.JAXBElementProvider
and JAXB-based org.apache.cxf.jaxrs.provider.json.JSONProvider can be directly
configured with <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/cxf/trunk/api/src/main/java/org/apache/cxf/staxutils/DocumentDepthProperties.java";>DepthRestrictingProperies</a>.</p>
+</div>
</div>
<!-- Content -->
</td>
