Topic: 3. Security and Validation

xmlProtection

Prohibits XML documents to be passed through that look like XML attacks on older parsers. Too many attributes, too long element names are such indications. DTD definitions will simply be removed.

Can be used in:

serviceProxy, api, global, chainDef, for, stompProxy, if, registration, wsStompReassembler, internal, interceptor, chain, bean, transport and soapProxy

Syntax

<xmlProtection removeDTD="boolean" maxElementNameLength="integer" maxAttibuteCount="integer" />

Sample

<beans>
  <transport coreThreadPoolSize="20">
	<ruleMatching />
	<dispatching />
	<userFeature />

	<xmlProtection />

	<httpClient />
  </transport>
</beans>

Attributes

Name	Required	Default	Description	Examples
maxAttributeCount	false	1000	If an incoming request exceeds this limit, it will be discarded.	-
maxElementNameLength	false	1000	If an incoming request exceeds this limit, it will be discarded.	-
removeDTD	false	true	Whether to remove the DTD from incoming requests.	-