Go to new doc!

Features Virtualization API Gateway OAuth2 Performance Testimonials Reverse Proxy FAQ Documentation

5.3 5.2 5.1 5.0 4.8

Overview Deployment Logging/monitoring Web Services WebSockets Cloud Interceptors Configuration

Interceptor Configuration proxies.xml Location Samples Element Reference

accessControl accountBlocker accountRegistration adminConsole amQuota amRateLimiter amStatisticsCollector analyser apiKeyChecker apiManagement authHead2Body balancer basicAuthentication bearerToken byThreadStrategy cache certificate claims clamav clusterNotification cookieOriginalExchangeStore counter customStatementJdbcUserDataProvider defaultConfig dispatching elasticSearchExchangeStore etcdBasedConfigurator etcdPublisher etcdRegistryApiConfig etcdResolver exchangeStore exclude faultMonitoringStrategy fileExchangeStore fileStore forgetfulExchangeStore formValidation gatekeeper groovy groovyTemplate headerFilter headerJwtRetriever http2xml httpClient httpClientConfig httpSchemaResolver if inMemorySessionManager2 inMemoryStore include index interceptor internalProxy jSessionIdExtractor javascript jdbcUserDataProvider jmxExporter json2Xml jsonPointerExtractor jwks jwtAuth jwtSessionManager jwtSessionManager2 key keyFile keyGenerator keystore kubernetesValidation limit limitedMemoryExchangeStore log login membrane memoryExchangeStore methodOverride nodeOnlineChecker ntlm oauth2Resource oauth2Resource2 oauth2authserver private prometheus proxy rateLimiter regExReplacer registration resolverMap rest2Soap reverseProxying rewriter roundRobinStrategy router routerIpResolver ruleMatching serviceProxy sessionOriginalExchangeStore shutdown simpleApiConfig soap2Rest soapOperationExtractor soapProxy soapStackTraceFilter spdy ssl sslProxy staticClientList staticUserDataProvider statisticsCSV statisticsJDBC statisticsProvider stompClient stompProxy swaggerApiKeyRequirer swaggerProxy swaggerRewriter switch tcp template testService throttle tokenValidator transform transport trust truststore uriFactory urlNormalizer userFeature validator wadlRewriter webServer webServiceExplorer webSocket wsInterceptor wsLog wsStompReassembler wsdlPublisher wsdlRewriter xenAuthentication xml2Json xmlContentFilter

xmlProtection

xmlSessionIdExtractor xpathExtractor

Security Clustering Development

+49 228 5552576-0

info@predic8.com

xmlProtection

Description

Prohibits XML documents to be passed through that look like XML attacks on older parsers. Too many attributes, too long element names are such indications. DTD definitions will simply be removed.

Can be used in

spring:beans, if, internalProxy, proxy, registration, request, response, serviceProxy, soapProxy, stompProxy, swaggerProxy, transport and wsStompReassembler

Syntax

				<xmlProtection removeDTD="boolean"
					maxElementNameLength="integer" maxAttibuteCount="integer" />

Listing 1: xmlProtection Syntax

Sample

				<beans>
					<transport coreThreadPoolSize="20">
						<ruleMatching />
						<dispatching />
						<userFeature />
			
						<xmlProtection />
			
						<httpClient />
					</transport>
				</beans>

Listing 2: xmlProtection Example

Attributes

Name	Required	Default	Description	Example
maxAttibuteCount	false	1000	If an incoming request exceeds this limit, it will be discarded.
maxElementNameLength	false	1000	If an incoming request exceeds this limit, it will be discarded.
removeDTD	false	true	Whether to remove the DTD from incoming requests.

Copyright (c) 2018-2023 predic8 GmbH, Koblenzer Str. 65, 53173 Bonn, Germany
Privacy Policy