Okey, I will check it.
Thanks. On Tue, Jul 23, 2013 at 1:33 PM, Sergey Beryozkin <[email protected]>wrote: > Hi, > StaxUtils only supports it as a system property at the moment, > > Cheers, Sergey > > On 23/07/13 11:25, Oleg Tikhonov wrote: > >> Hi Sergei, >> in my case it's an HTTP. >> >> I could not set properly the properties. >> Mime look like: >> <code> >> properties.put("com.ctc.wstx.**maxAttributesPerElement", new >> Integer(500)); >> properties.put("com.ctc.wstx.**maxAttributeSize", new >> Integer(64 * >> 1024)); >> properties.put("com.ctc.wstx.**maxChildrenPerElement", new >> Integer(50000)); >> properties.put("com.ctc.wstx.**maxElementCount", new >> Long(Long.MAX_VALUE)); >> properties.put("com.ctc.wstx.**maxElementDepth", new >> Integer(100)); >> properties.put("com.ctc.wstx.**maxCharacters", new >> Long(Long.MAX_VALUE)); >> properties.put("com.ctc.wstx.**maxTextLength", new Long(128 * >> 1024 * >> 1024)); >> properties.put("org.apache.**cxf.stax.allowInsecureParser", new >> Boolean(true)); >> </code> >> >> and in the previous code: >> >> <code> >> factory.setProperties(**properties); >> </code> >> >> However when it comes to the StaxUtils the properites are null. Am trying >> to figure out how to set "org.apache.cxf.stax.**allowInsecureParser" >> true. >> >> >> BR, >> Oleg >> >> >> >> On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <[email protected] >> >wrote: >> >> Hi Oleg >>> >>> If you use HTTPS, and especially a 2 way TLS, then it will help, though >>> even in these cases a secure parser can help a lot with controlling the >>> large payloads. >>> Cheers, Sergey >>> >>> On 23/07/13 07:55, Oleg Tikhonov wrote: >>> >>> Hi, >>>> During deploying application I got this exception. >>>> >>>> Having googled I found >>>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent >>>> the >>>> DOS attack mentioned here >>>> https://cxf.apache.org/****security-advisories.data/CVE-*** >>>> *2013-2160.txt.asc<https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc> >>>> <https://**cxf.apache.org/security-**advisories.data/CVE-2013-2160.** >>>> txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc> >>>> >and >>>> >>>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed >>>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory >>>> implantation from JDK that is the reason for get this issue. >>>> >>>> It is possible to use "org.apache.cxf.stax.****allowInsecureParser = >>>> true" >>>> >>>> to >>>> get rid of this issue but it just a workaround only not a solution. >>>> " >>>> >>>> Here is a code that creates a Server >>>> <code> >>>> private Server getInstanceExternalControl() { >>>> LOG.debug(" ----- getInstanceExternalControl() ----- "); >>>> int incrementedPort = callbackPort + 1; >>>> JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean(); >>>> factory.setBindingId(****Constants.WSDL_SOAP12); >>>> factory.setAddress(Constants.****HTTP + callbackBBIPAdrress >>>> + ":" >>>> >>>> + >>>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr()); >>>> factory.setServiceClass(****IExternalControl.class); >>>> factory.setServiceBean(****externalControlHandler); >>>> >>>> factory.getFeatures().add(new WSAddressingFeature()); >>>> >>>> return factory.create(); >>>> } >>>> </code> >>>> >>>> I did not try afore mentioned workaround. >>>> >>>> BTW, >>>> Java version is 6. >>>> AppServer is JBoss 7.1.2 >>>> OS: Linux x64 Ubuntu. >>>> >>>> Any suggestions/thoughts will be greatly appreciated. >>>> >>>> Thanks in advance, >>>> Oleg >>>> >>>> >>>> >>> -- >>> Sergey Beryozkin >>> >>> Talend Community Coders >>> http://coders.talend.com/ >>> >>> Blog: http://sberyozkin.blogspot.com >>> >>> >> >
