Seems to be working.
The problem was with my code:
properties.put("org.apache.cxf.stax.allowInsecureParser", new
Boolean(true));
However in the StaxUtils, the checking was on String "1", i.e.
allowInsecureParser = "1".equals(s) || Boolean.parseBoolean(s);
For those who are interested in the workaround:
In init method of app:
<code>
Properties properties = System.getProperties();
properties.put("org.apache.cxf.stax.allowInsecureParser", "1");
System.setProperties(properties);
</code>
The rest remains unchanged.
Thank you Sergei.
On Tue, Jul 23, 2013 at 1:43 PM, Oleg Tikhonov <[email protected]>wrote:
> Okey,
>
> I will check it.
>
> Thanks.
>
>
> On Tue, Jul 23, 2013 at 1:33 PM, Sergey Beryozkin <[email protected]>wrote:
>
>> Hi,
>> StaxUtils only supports it as a system property at the moment,
>>
>> Cheers, Sergey
>>
>> On 23/07/13 11:25, Oleg Tikhonov wrote:
>>
>>> Hi Sergei,
>>> in my case it's an HTTP.
>>>
>>> I could not set properly the properties.
>>> Mime look like:
>>> <code>
>>> properties.put("com.ctc.wstx.**maxAttributesPerElement", new
>>> Integer(500));
>>> properties.put("com.ctc.wstx.**maxAttributeSize", new
>>> Integer(64 *
>>> 1024));
>>> properties.put("com.ctc.wstx.**maxChildrenPerElement", new
>>> Integer(50000));
>>> properties.put("com.ctc.wstx.**maxElementCount", new
>>> Long(Long.MAX_VALUE));
>>> properties.put("com.ctc.wstx.**maxElementDepth", new
>>> Integer(100));
>>> properties.put("com.ctc.wstx.**maxCharacters", new
>>> Long(Long.MAX_VALUE));
>>> properties.put("com.ctc.wstx.**maxTextLength", new Long(128 *
>>> 1024 *
>>> 1024));
>>> properties.put("org.apache.**cxf.stax.allowInsecureParser", new
>>> Boolean(true));
>>> </code>
>>>
>>> and in the previous code:
>>>
>>> <code>
>>> factory.setProperties(**properties);
>>> </code>
>>>
>>> However when it comes to the StaxUtils the properites are null. Am trying
>>> to figure out how to set "org.apache.cxf.stax.**allowInsecureParser"
>>> true.
>>>
>>>
>>> BR,
>>> Oleg
>>>
>>>
>>>
>>> On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <[email protected]
>>> >wrote:
>>>
>>> Hi Oleg
>>>>
>>>> If you use HTTPS, and especially a 2 way TLS, then it will help, though
>>>> even in these cases a secure parser can help a lot with controlling the
>>>> large payloads.
>>>> Cheers, Sergey
>>>>
>>>> On 23/07/13 07:55, Oleg Tikhonov wrote:
>>>>
>>>> Hi,
>>>>> During deploying application I got this exception.
>>>>>
>>>>> Having googled I found
>>>>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent
>>>>> the
>>>>> DOS attack mentioned here
>>>>> https://cxf.apache.org/****security-advisories.data/CVE-***
>>>>> *2013-2160.txt.asc<https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc>
>>>>> <https://**cxf.apache.org/security-**advisories.data/CVE-2013-2160.**
>>>>> txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>
>>>>> >and
>>>>>
>>>>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
>>>>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
>>>>> implantation from JDK that is the reason for get this issue.
>>>>>
>>>>> It is possible to use "org.apache.cxf.stax.****allowInsecureParser =
>>>>> true"
>>>>>
>>>>> to
>>>>> get rid of this issue but it just a workaround only not a solution.
>>>>> "
>>>>>
>>>>> Here is a code that creates a Server
>>>>> <code>
>>>>> private Server getInstanceExternalControl() {
>>>>> LOG.debug(" ----- getInstanceExternalControl() ----- ");
>>>>> int incrementedPort = callbackPort + 1;
>>>>> JaxWsServerFactoryBean factory = new
>>>>> JaxWsServerFactoryBean();
>>>>> factory.setBindingId(****Constants.WSDL_SOAP12);
>>>>> factory.setAddress(Constants.****HTTP + callbackBBIPAdrress
>>>>> + ":"
>>>>>
>>>>> +
>>>>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
>>>>> factory.setServiceClass(****IExternalControl.class);
>>>>> factory.setServiceBean(****externalControlHandler);
>>>>>
>>>>> factory.getFeatures().add(new WSAddressingFeature());
>>>>>
>>>>> return factory.create();
>>>>> }
>>>>> </code>
>>>>>
>>>>> I did not try afore mentioned workaround.
>>>>>
>>>>> BTW,
>>>>> Java version is 6.
>>>>> AppServer is JBoss 7.1.2
>>>>> OS: Linux x64 Ubuntu.
>>>>>
>>>>> Any suggestions/thoughts will be greatly appreciated.
>>>>>
>>>>> Thanks in advance,
>>>>> Oleg
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Sergey Beryozkin
>>>>
>>>> Talend Community Coders
>>>> http://coders.talend.com/
>>>>
>>>> Blog: http://sberyozkin.blogspot.com
>>>>
>>>>
>>>
>>
>
