You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by bu...@apache.org on 2013/07/22 17:48:02 UTC
svn commit: r870602 - in /websites/production/cxf/content:
cache/docs.pageCache docs/security.html
Author: buildbot
Date: Mon Jul 22 15:48:01 2013
New Revision: 870602
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/security.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/security.html
==============================================================================
--- websites/production/cxf/content/docs/security.html (original)
+++ websites/production/cxf/content/docs/security.html Mon Jul 22 15:48:01 2013
@@ -130,7 +130,7 @@ Apache CXF -- Security
<div id="ConfluenceContent"><p><span style="font-size:2em;font-weight:bold"> Securing CXF Services </span></p>
<div>
-<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect" href="#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-* Security (including UsernameToken and X.509 Token profiles)</a></li><li><a shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect" href="#Security-Authentication">Authentication</a></li><ul><li><a shape="rect" href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a shape="rect" href="#Security-Authorization">Authorization</a></li><li><a shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large Request Payloads</a></li><ul><li><a shape="rect" href="#Security-XML">XML</a></li
><li><a shape="rect" href="#Security-Multiparts">Multiparts</a></li></ul><li><a shape="rect" href="#Security-Largedatastreamcaching">Large data stream caching</a></li></ul></div>
+<ul><li><a shape="rect" href="#Security-Securetransports">Secure transports</a></li><ul><li><a shape="rect" href="#Security-HTTPS">HTTPS</a></li></ul><li><a shape="rect" href="#Security-WS%5CSecurity%28includingUsernameTokenandX.509Tokenprofiles%29">WS-* Security (including UsernameToken and X.509 Token profiles)</a></li><li><a shape="rect" href="#Security-WSTrust%2CSTS">WS-Trust, STS</a></li><li><a shape="rect" href="#Security-SAMLWebSSO">SAML Web SSO</a></li><li><a shape="rect" href="#Security-OAuth">OAuth</a></li><li><a shape="rect" href="#Security-Authentication">Authentication</a></li><ul><li><a shape="rect" href="#Security-JAASLoginInterceptor">JAASLoginInterceptor</a></li><li><a shape="rect" href="#Security-Kerberos">Kerberos</a></li></ul><li><a shape="rect" href="#Security-Authorization">Authorization</a></li><li><a shape="rect" href="#Security-ControllingLargeRequestPayloads">Controlling Large Request Payloads</a></li><ul><li><a shape="rect" href="#Security-XML">XML</a></li
><li><a shape="rect" href="#Security-XMLCXFversionspriorto2.7.4">XML - CXF versions prior to 2.7.4</a></li><li><a shape="rect" href="#Security-Multiparts">Multiparts</a></li></ul><li><a shape="rect" href="#Security-Largedatastreamcaching">Large data stream caching</a></li></ul></div>
<h1><a shape="rect" name="Security-Securetransports"></a>Secure transports</h1>
@@ -260,6 +260,19 @@ Apache CXF -- Security
<h2><a shape="rect" name="Security-XML"></a>XML</h2>
+<p>Starting with CXF 2.7.4, CXF now requires use of a StAX parser that can provide fine grained control over the size of the incoming XML. The only parser that will currently work is Woodstox 4.2 or newer. The main reason is there are a series of DOS attacks that can only be prevented at the StAX parser level. There is a "org.apache.cxf.stax.allowInsecureParser" System Property that can be set to true to allow using an insecure parser, but that is HIGHLY not recommended and doing so would also now allow the settings described in this section.</p>
+
+<p>CXF has several default settings that will prevent malicious XML from causing various DOS failures. You can override the default values if you know you will have incoming XML that will exceed these limits. These settings can be set as Bus level properties, endpoint level properties, or even per request via an interceptor. </p>
+
+<div class="table-wrap">
+<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1" class="confluenceTh">Setting</th><th colspan="1" rowspan="1" class="confluenceTh">Default</th><th colspan="1" rowspan="1" class="confluenceTh">Description</th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxChildElements</td><td colspan="1" rowspan="1" class="confluenceTd">50000</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum number of child elements for a given parent element</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxElementDepth</td><td colspan="1" rowspan="1" class="confluenceTd">100</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum depth of an element</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxAttributeCount</td><td colspan="1" rowspan="1" class="confluenceTd">500</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum number of attributes on a single element</td></
tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxAttributeSize</td><td colspan="1" rowspan="1" class="confluenceTd">64K</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum size of a single attribute</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxTextLength</td><td colspan="1" rowspan="1" class="confluenceTd">128M</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum size of an elements text value</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxElementCount</td><td colspan="1" rowspan="1" class="confluenceTd">Long.MAX_VALUE</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum total number of elements in the XML document</td></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">org.apache.cxf.stax.maxXMLCharacters</td><td colspan="1" rowspan="1" class="confluenceTd">Long.MAX_VALUE</td><td colspan="1" rowspan="1" class="confluenceTd">Maximum total number
of characters parsed by the parser</td></tr></tbody></table>
+</div>
+
+
+
+
+<h2><a shape="rect" name="Security-XMLCXFversionspriorto2.7.4"></a>XML - CXF versions prior to 2.7.4</h2>
+
<p>Endpoints expecting XML payloads may get <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/DepthRestrictingStreamInterceptor.java">DepthRestrictingInterceptor</a> registered and configured in order to control the limits a given XML payload may not exceed. This can be useful in a variety of cases in order to protect against massive payloads which can potentially cause the denial-of-service situation or simply slow the service down a lot.</p>
<p>The complete number of XML elements, the number of immediate children of a given XML element may contain and the stack depth of the payload can be restricted, for example:</p>