You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Jason Wang <ja...@gmail.com> on 2013/12/10 11:14:34 UTC

Jackson Json Provider and depth control

Hi all,

I know you can easily protect your xml based ws from large array attacks by
setting up a DepthRestrictingInterceptor<http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java>
.

I am wondering how to achieve the same thing if Json is chosen as well as
Jackson Json provider.  As far as I can see there is no properties in
Jackson to set the max depth, unlike the CXF's default Json provider.

Cheers,
Jason

Re: Jackson Json Provider and depth control

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi
On 10/12/13 10:14, Jason Wang wrote:
> Hi all,
>
> I know you can easily protect your xml based ws from large array attacks by
> setting up a DepthRestrictingInterceptor<http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java>
> .
>
> I am wondering how to achieve the same thing if Json is chosen as well as
> Jackson Json provider.  As far as I can see there is no properties in
> Jackson to set the max depth, unlike the CXF's default Json provider.
>
Please check Jackson archives or ask a question there, Jackson reader is 
streaming so I think it can be easily amenable to supporting the depth 
properties, sorry I'm not aware of any specific details
Cheers, Sergey
> Cheers,
> Jason
>