Wednesday, April 25, 2012

Controlling Large Payloads in CXF

You may have already read that so called hash-collision attacks may affect many of the existing Web applications. A massive form, XML or JSON payload with specially constructed keys can be posted to the service and cause the denial of service situation due to the fact many of XML, JSON or form payload processors depend internally on the map implementations that are not capable of dealing with such data effectively.

It does not have to be a specially ill-prepared payload. Huge XML or say multipart/form-data application payloads with open-ended list of child elements or parts may significantly slow down the services too.

There has been a number of announcements from the major projects on the workarounds that may need to be taken, for example, please check this Tomcat issue.

Security has always been and going to be  a major story in Apache CXF and obviously we spent some time on making sure CXF endpoints can be adequately protected in such cases too.

For a start, we followed the Tomcat's lead and introduced a "maxFormParameterCount" endpoint property then can be used to restrict a number of form name/value pairs passed in the HTTP POST body.

We also introduced a DepthRestrictingStreamInterceptor that can be used to enforce a number of limits on the incoming XML payloads such as: the total number of elements, the maximum number of child elements and the maximum stack level. More fine-grained, element-specific limits may be supported in the future. Note it was already possible to protect CXF WS endpoints with the relevant system properties before the introduction of this interceptor.

Additionally, CXF JAX-RS endpoints and JAXB-based providers can be individually configured with the limits that will be imposed on the incoming payloads. Note that even JSON payloads can be controlled by the default Jettison-based JSONProvider.

HTTP 413 will be returned whenever the limit is reached.

Finally, as has already been mentioned on this blog, we had a high-quality contribution which made it possible to control the attachment limits by using an "attachment-max-size" property.

Please check the CXF Security and JAX-RS DataBinding sections for more information, test with the recently released CXF 2.6.0, 2.5.3, 2.4.7 and 2.3.10 distributions and provide the feedback.