如何使用Apache CXF禁用SOAP 1.1绑定

Question

In a Java/Spring/Apache CXF application, I have a SOAP endpoint defined like this:

<cxf:endpoint
    id="MessagingService"
    address="/MessagingService"
    bindingUri="http://www.w3.org/2003/05/soap/bindings/HTTP/"
    implementor="mypackage.MessagingServiceImpl" />

The attribute bindingUri="http://www.w3.org/2003/05/soap/bindings/HTTP/" enables SOAP 1.2 bindings. I've tested, it works.

Some people considers there is a security issue with SOAP 1.1 by "expanding XML entities". I would like to protect my WebService from this kind of attack.

Not sure my question makes sense but: is it possible to "disable" SOAP 1.1 binding?

NB: from my perspective, what makes the difference between SOAP 1.1 and SOAP 1.2 requests is the XML namespace http://schemas.xmlsoap.org/soap/envelope/ used in SOAP 1.1 requests and http://www.w3.org/2003/05/soap-envelope used in SOAP 1.2 requests. "Disabling" SOAP 1.1 binding could mean: reject any SOAP request using the SOAP 1.1 namespace

Thanks in advance

Answer 1

You would need to add an interceptor that would check the soap version and throw a fault.

That said, I really don't understand your concern. Within CXF, both versions are processed exactly the same. Any security issue with 1.1 would also be present with 1.2. Thus, it wouldn't get you any benefits to do so.

I'm not exactly sure what you are referring to about the "expanding XML entities", but it's likely one of two things:

1) XML DTD entity expansion - this is an XML level thing that would affect both 1.1 and 1.2. However, CXF turns that off at the parser level.

2) SOAP encoding structure loops and such which WOULD be SOAP 1.1, but CXF doesn't support soap encoding, so also not an issue.