Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-7680

Restrict the size of SOAP message OR allow only MTOM messages



    • Advanced
    • Important


      I encountered this problem, but couldn't get any help, although hours of searching...

      I am developing B2B web services.

      Service is receiving SOAP request where file attachments are encoded in base64 format, application works well, except if one of the client decides to send very large XML - possibly 500MB of XML data, at this very point my application's java heap size grows exponentially and mostly throw OutOfMemoryException. So I decided to use MTOM mechanism to send and receive messages with large(or several) attachments, application performs well, memory-wise, but there is still another problem, server and client, BOTH need to enable MTOM messaging, even if it is enabled on server, client can send it still with base64 format and server receives without any worries until aformentioned exception is thrown.  Anyone can create a HUGE xml message that can crash my app in seconds. How can I secure my application from these kind of malicious service calls.

      Searched a lot, but couldn't find virtually any reliable solution for this.

      So question/problem/wish is:

      1) How can I restrict the size of SOAP message (only XML part if MTOM).


      2) How can I allow only MTOM messages.

      What I found/explored:

      http://cxf.apache.org/docs/security.html in the "Controlling Large Request Payloads" section there is written about Woodstox parser which can be used to restrict XML message by its character sizes, but also written that it's not recommended and it's insecure. Even if this was the solution, how would it behave in MTOM message. 




            coheigea Colm O hEigeartaigh
            Abrams Nicholas
            0 Vote for this issue
            2 Start watching this issue