Hi,
StaxUtils only supports it as a system property at the moment,
Cheers, Sergey
On 23/07/13 11:25, Oleg Tikhonov wrote:
Hi Sergei,
in my case it's an HTTP.
I could not set properly the properties.
Mime look like:
<code>
properties.put("com.ctc.wstx.maxAttributesPerElement", new
Integer(500));
properties.put("com.ctc.wstx.maxAttributeSize", new Integer(64 *
1024));
properties.put("com.ctc.wstx.maxChildrenPerElement", new
Integer(50000));
properties.put("com.ctc.wstx.maxElementCount", new
Long(Long.MAX_VALUE));
properties.put("com.ctc.wstx.maxElementDepth", new Integer(100));
properties.put("com.ctc.wstx.maxCharacters", new
Long(Long.MAX_VALUE));
properties.put("com.ctc.wstx.maxTextLength", new Long(128 * 1024 *
1024));
properties.put("org.apache.cxf.stax.allowInsecureParser", new
Boolean(true));
</code>
and in the previous code:
<code>
factory.setProperties(properties);
</code>
However when it comes to the StaxUtils the properites are null. Am trying
to figure out how to set "org.apache.cxf.stax.allowInsecureParser" true.
BR,
Oleg
On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <[email protected]>wrote:
Hi Oleg
If you use HTTPS, and especially a 2 way TLS, then it will help, though
even in these cases a secure parser can help a lot with controlling the
large payloads.
Cheers, Sergey
On 23/07/13 07:55, Oleg Tikhonov wrote:
Hi,
During deploying application I got this exception.
Having googled I found
"CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
DOS attack mentioned here
https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>and
Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
implantation from JDK that is the reason for get this issue.
It is possible to use "org.apache.cxf.stax.**allowInsecureParser = true"
to
get rid of this issue but it just a workaround only not a solution.
"
Here is a code that creates a Server
<code>
private Server getInstanceExternalControl() {
LOG.debug(" ----- getInstanceExternalControl() ----- ");
int incrementedPort = callbackPort + 1;
JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
factory.setBindingId(**Constants.WSDL_SOAP12);
factory.setAddress(Constants.**HTTP + callbackBBIPAdrress + ":"
+
incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
factory.setServiceClass(**IExternalControl.class);
factory.setServiceBean(**externalControlHandler);
factory.getFeatures().add(new WSAddressingFeature());
return factory.create();
}
</code>
I did not try afore mentioned workaround.
BTW,
Java version is 6.
AppServer is JBoss 7.1.2
OS: Linux x64 Ubuntu.
Any suggestions/thoughts will be greatly appreciated.
Thanks in advance,
Oleg
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
