How to disable SOAP 1.1 binding with Apache CXF
Question
In a Java/Spring/Apache CXF application, I have a SOAP endpoint defined like this:
<cxf:endpoint
id="MessagingService"
address="/MessagingService"
bindingUri="http://www.w3.org/2003/05/soap/bindings/HTTP/"
implementor="mypackage.MessagingServiceImpl" />
The attribute bindingUri="http://www.w3.org/2003/05/soap/bindings/HTTP/" enables SOAP 1.2 bindings. I've tested, it works.
Some people considers there is a security issue with SOAP 1.1 by "expanding XML entities". I would like to protect my WebService from this kind of attack.
Not sure my question makes sense but: is it possible to "disable" SOAP 1.1 binding?
NB: from my perspective, what makes the difference between SOAP 1.1 and SOAP 1.2 requests is the XML namespace http://schemas.xmlsoap.org/soap/envelope/ used in SOAP 1.1 requests and http://www.w3.org/2003/05/soap-envelope used in SOAP 1.2 requests. "Disabling" SOAP 1.1 binding could mean: reject any SOAP request using the SOAP 1.1 namespace
Thanks in advance
1 answers
solution1
1 ACCPTED 2014-01-16 15:49:06
You would need to add an interceptor that would check the soap version and throw a fault.
That said, I really don't understand your concern. Within CXF, both versions are processed exactly the same. Any security issue with 1.1 would also be present with 1.2. Thus, it wouldn't get you any benefits to do so.
I'm not exactly sure what you are referring to about the "expanding XML entities", but it's likely one of two things:
1) XML DTD entity expansion - this is an XML level thing that would affect both 1.1 and 1.2. However, CXF turns that off at the parser level.
2) SOAP encoding structure loops and such which WOULD be SOAP 1.1, but CXF doesn't support soap encoding, so also not an issue.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.