Hi Oleg
If you use HTTPS, and especially a 2 way TLS, then it will help, though
even in these cases a secure parser can help a lot with controlling the
large payloads.
Cheers, Sergey
On 23/07/13 07:55, Oleg Tikhonov wrote:
Hi,
During deploying application I got this exception.
Having googled I found
"CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
DOS attack mentioned here
https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc and
Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
implantation from JDK that is the reason for get this issue.
It is possible to use "org.apache.cxf.stax.allowInsecureParser = true" to
get rid of this issue but it just a workaround only not a solution.
"
Here is a code that creates a Server
<code>
private Server getInstanceExternalControl() {
LOG.debug(" ----- getInstanceExternalControl() ----- ");
int incrementedPort = callbackPort + 1;
JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
factory.setBindingId(Constants.WSDL_SOAP12);
factory.setAddress(Constants.HTTP + callbackBBIPAdrress + ":" +
incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
factory.setServiceClass(IExternalControl.class);
factory.setServiceBean(externalControlHandler);
factory.getFeatures().add(new WSAddressingFeature());
return factory.create();
}
</code>
I did not try afore mentioned workaround.
BTW,
Java version is 6.
AppServer is JBoss 7.1.2
OS: Linux x64 Ubuntu.
Any suggestions/thoughts will be greatly appreciated.
Thanks in advance,
Oleg
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
