...
See the JAX-RS JOSE page on support for the JWA, JWK, JWS, JWE and JWT specifications.
HTTP Signature
See the JAX-RS HTTP Signature page on support for the HTTP Signature specification.
SSO
SAML Web SSO
Please see this blog entry announcing the support for SAML Web SSO profile and the SAML Web SSO page for more information. CXF fully supports the SAML Web SSO profile on the service provider side. As of yet however, no IdP is available in CXF.
...
CXF has several default settings that will prevent malicious XML from causing various DOS failures. You can override the default values if you know you will have incoming XML that will exceed these limits. These settings can be set as Bus level properties, endpoint level properties, or even per request via an interceptor.
Setting | Default | Description |
---|---|---|
org.apache.cxf.stax.maxChildElements | 50000 | Maximum number of child elements for a given parent element |
org.apache.cxf.stax.maxElementDepth | 100 | Maximum depth of an element |
org.apache.cxf.stax.maxAttributeCount | 500 | Maximum number of attributes on a single element |
org.apache.cxf.stax.maxAttributeSize | 64K | Maximum size of a single attribute |
org.apache.cxf.stax.maxTextLength | 128M | Maximum size of an elements text value |
org.apache.cxf.stax.maxElementCount | Long.MAX_VALUE | Maximum total number of elements in the XML document |
org.apache.cxf.stax.maxXMLCharacters | Long.MAX_VALUE | Maximum total number of characters parsed by the parser |
XML - CXF versions prior to 2.7.4
...
It's possible to control various properties associated with caching large attachments via the following per-endpoint contextual properties:
Property Name | Value |
---|---|
attachment-memory-threshold | The threshold value in bytes to switch from memory to file caching. The default value is 1024K. |
attachment-max-size | The data size in bytes to limit the maximum data size to be cached. Since CXF 3.0.16, 3.1.14, 3.2.1. No max size is set by default. When the limits is reached, the error is returned. JAX-WS consumers will receive 500, JAX-RS/HTTP consumers: 413. |
attachment-directory | The directory name for storing the temporary files. None is specified by default. |
attachment-max-header-size | The maximum MIME Header Length. The default is 300. This value can also be set by the system property "org.apache.cxf.attachment-max-header-size". |
If no per-endpoint contextual properties are specified, then CXF checks any values that are set for the corresponding System properties listed below for large data stream caching and re-uses them for caching attachments.
...
To change the default behavior for the entire system, you can set the following system properties.
Property Name | Value |
---|---|
org.apache.cxf.io.CachedOutputStream.Threshold | The threshold value in bytes to switch from memory to file caching. The default value is 128K for CachedOutputStream and 64K for CachedWriter. |
org.apache.cxf.io.CachedOutputStream.MaxSize | The data size in bytes to limit the maximum data size to be cached. No max size is set by default. |
org.apache.cxf.io.CachedOutputStream.OutputDirectory | The directory name for storing the temporary files. None is specified by default. If specified, the directory must already exist. |
org.apache.cxf.io.CachedOutputStream.CipherTransformation | The cipher transformation name for encrypting the cached content. None is specified by default. |
To change the default behavior for a specific bus, you can set the corresponding bus.io.CachedOutputStream properties (e.g., bus.io.CachedOutputStream.Threshold for org.apache.cxf.io.CachedOutputStream.Threshold).
...