Hi Sergei,
in my case it's an HTTP.
I could not set properly the properties.
Mime look like:
<code>
properties.put("com.ctc.wstx.maxAttributesPerElement", new
Integer(500));
properties.put("com.ctc.wstx.maxAttributeSize", new Integer(64 *
1024));
properties.put("com.ctc.wstx.maxChildrenPerElement", new
Integer(50000));
properties.put("com.ctc.wstx.maxElementCount", new
Long(Long.MAX_VALUE));
properties.put("com.ctc.wstx.maxElementDepth", new Integer(100));
properties.put("com.ctc.wstx.maxCharacters", new
Long(Long.MAX_VALUE));
properties.put("com.ctc.wstx.maxTextLength", new Long(128 * 1024 *
1024));
properties.put("org.apache.cxf.stax.allowInsecureParser", new
Boolean(true));
</code>
and in the previous code:
<code>
factory.setProperties(properties);
</code>
However when it comes to the StaxUtils the properites are null. Am trying
to figure out how to set "org.apache.cxf.stax.allowInsecureParser" true.
BR,
Oleg
On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <[email protected]>wrote:
> Hi Oleg
>
> If you use HTTPS, and especially a 2 way TLS, then it will help, though
> even in these cases a secure parser can help a lot with controlling the
> large payloads.
> Cheers, Sergey
>
> On 23/07/13 07:55, Oleg Tikhonov wrote:
>
>> Hi,
>> During deploying application I got this exception.
>>
>> Having googled I found
>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
>> DOS attack mentioned here
>> https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>and
>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
>> implantation from JDK that is the reason for get this issue.
>>
>> It is possible to use "org.apache.cxf.stax.**allowInsecureParser = true"
>> to
>> get rid of this issue but it just a workaround only not a solution.
>> "
>>
>> Here is a code that creates a Server
>> <code>
>> private Server getInstanceExternalControl() {
>> LOG.debug(" ----- getInstanceExternalControl() ----- ");
>> int incrementedPort = callbackPort + 1;
>> JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
>> factory.setBindingId(**Constants.WSDL_SOAP12);
>> factory.setAddress(Constants.**HTTP + callbackBBIPAdrress + ":"
>> +
>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
>> factory.setServiceClass(**IExternalControl.class);
>> factory.setServiceBean(**externalControlHandler);
>> factory.getFeatures().add(new WSAddressingFeature());
>>
>> return factory.create();
>> }
>> </code>
>>
>> I did not try afore mentioned workaround.
>>
>> BTW,
>> Java version is 6.
>> AppServer is JBoss 7.1.2
>> OS: Linux x64 Ubuntu.
>>
>> Any suggestions/thoughts will be greatly appreciated.
>>
>> Thanks in advance,
>> Oleg
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
