From: <go...@us...> - 2011-10-28 12:59:54
|
Revision: 11612 http://unicore.svn.sourceforge.net/unicore/?rev=11612&view=rev Author: golbi Date: 2011-10-28 12:59:44 +0000 (Fri, 28 Oct 2011) Log Message: ----------- Added a possibility to configure the SOAP header size limit. Modified Paths: -------------- gateway/trunk/Changes.txt gateway/trunk/src/main/conf/gateway.properties gateway/trunk/src/main/doc/manual.txt gateway/trunk/src/main/java/eu/unicore/gateway/base/RawMessageExchange.java gateway/trunk/src/main/java/eu/unicore/gateway/base/Servlet.java gateway/trunk/src/main/java/eu/unicore/gateway/properties/GatewayProperties.java gateway/trunk/src/main/java/eu/unicore/gateway/util/BufferingProxyReader.java gateway/trunk/src/main/package/distributions/Default/src/etc/unicore/gateway/gateway.properties gateway/trunk/src/test/java/eu/unicore/gateway/TestBufferingProxyReader.java gateway/trunk/src/test/java/eu/unicore/gateway/TestInsertConsignor.java gateway/trunk/src/test/java/eu/unicore/gateway/TestPOSTProcessingPerf.java gateway/trunk/src/test/java/eu/unicore/gateway/TestParseHeaders.java gateway/trunk/src/test/java/eu/unicore/gateway/TestParseWrongHeaders.java Modified: gateway/trunk/Changes.txt =================================================================== --- gateway/trunk/Changes.txt 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/Changes.txt 2011-10-28 12:59:44 UTC (rev 11612) @@ -1,6 +1,10 @@ Change log for the UNICORE 6 Gateway ==================================== +6.?.? +----- + - Added a possibility to configure the maximum SOAP header size. + 6.4.2 ----- - Fixed logging of connection errors (more details in case of failures, clear expiration Modified: gateway/trunk/src/main/conf/gateway.properties =================================================================== --- gateway/trunk/src/main/conf/gateway.properties 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/conf/gateway.properties 2011-10-28 12:59:44 UTC (rev 11612) @@ -16,7 +16,6 @@ http.connection.maxPerService = 20 # HTTP client configuration END - #If the network behind gateway is secure leave the following settings unchanged # (yes - it is the usual case). However if you wish to secure consignor # assertions issued by gateway by signing them, change the following to true. @@ -64,5 +63,8 @@ # (needs extension jar files installed in the lib directory!) #proxyValidator=<class name> +# Maximum size of an accepted SOAP header, in bytes. It is extremely rare +# that changing the default value is necessary. +soapMaxHeader=102400 Modified: gateway/trunk/src/main/doc/manual.txt =================================================================== --- gateway/trunk/src/main/doc/manual.txt 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/doc/manual.txt 2011-10-28 12:59:44 UTC (rev 11612) @@ -1,6 +1,6 @@ UNICORE Gateway =============== -:revnumber: 1.0.2 +:revnumber: 1.0.3 :Author: UNICORE Team :Email: uni...@li... :numbered: @@ -294,8 +294,8 @@ This will scale up to higher numbers of concurrent connections than the default connector. -Controlling the number of concurrent connections -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Scalability settings +~~~~~~~~~~~~~~~~~~~~ The gateway acts as a https client for the VSites behind it. The number of concurrent calls is limited, and controlled by two parameters @@ -307,6 +307,23 @@ http.connection.maxPerService=20 ---- +You can also control the limit on the maximum SOAP header size which is allowed by the +gateway. *Typically you don't have to touch this parameter*. However if your clients +do produce very big SOAP headers and gateway blocks them you can increase the limit. Note +that such a giant SOAP header usually means that the client is not behaving in a sane way, +e.g. is trying to perform a DoS attack. + +---- +# maximum size of an accepted SOAP header, in bytes +soapMaxHeader=102400 +---- + +Note that gateway may consume this amount of memory (plus some extra amount +for other data) for each opened connection. Therefore, this value multiplied by +the number of maximum allowed connections, should be significantly lower, then the total +memory available for the gateway. + + Proxy certificate support ~~~~~~~~~~~~~~~~~~~~~~~~~ Modified: gateway/trunk/src/main/java/eu/unicore/gateway/base/RawMessageExchange.java =================================================================== --- gateway/trunk/src/main/java/eu/unicore/gateway/base/RawMessageExchange.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/java/eu/unicore/gateway/base/RawMessageExchange.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -50,10 +50,10 @@ private static XMLInputFactory inFact = XMLInputFactory2.newInstance(); - public RawMessageExchange(Reader r, Writer w) throws XMLStreamException + public RawMessageExchange(Reader r, Writer w, int maxHeader) throws XMLStreamException { reader = new BufferingProxyReader(r, LogUtil.getLogger("gateway.trafficdump", - RawMessageExchange.class)); + RawMessageExchange.class), maxHeader); writer = w; setHeaderPresent(false); eventReader = inFact.createXMLEventReader(reader); Modified: gateway/trunk/src/main/java/eu/unicore/gateway/base/Servlet.java =================================================================== --- gateway/trunk/src/main/java/eu/unicore/gateway/base/Servlet.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/java/eu/unicore/gateway/base/Servlet.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -329,7 +329,9 @@ handleRegistration(req,res); } else{ - RawMessageExchange exchange = new RawMessageExchange(req.getReader(),res.getWriter()); + int maxHeaderSize = properties.getMaxSoapHeader(); + RawMessageExchange exchange = new RawMessageExchange(req.getReader(), + res.getWriter(), maxHeaderSize); String contentType = req.getHeader("Content-type"); exchange.setProperty(RawMessageExchange.CONTENT_TYPE, contentType); if(contentType!=null){ Modified: gateway/trunk/src/main/java/eu/unicore/gateway/properties/GatewayProperties.java =================================================================== --- gateway/trunk/src/main/java/eu/unicore/gateway/properties/GatewayProperties.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/java/eu/unicore/gateway/properties/GatewayProperties.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -70,13 +70,17 @@ public static final String KEY_CONN_MAX_TOTAL = "http.connection.maxTotal"; public static final String KEY_CONN_MAX_PERHOST = "http.connection.maxPerService"; + public static final String KEY_MAX_HEADER = "soapMaxHeader"; + // defaults for the consignor SAML assertion public static final int DEFAULT_TOLERANCE = 30; public static final int DEFAULT_VALIDITY = 60; public static final boolean DEFAULT_SIGN = false; // default proxy validator class name public static final String DEFAULT_PROXY_VALIDATOR = "eu.unicore.proxy.RFC3820ProxyValidator"; - + // default limit for the SOAP header size + public static final int DEFAULT_MAX_HDR = 102400; + private static final Set<String> REQ_PROPERTIES = new HashSet<String>(); static { @@ -211,6 +215,11 @@ return getStringProperty(KEY_REG_INCL, null); } + public int getMaxSoapHeader() + { + return getPropertyAsInt(KEY_MAX_HEADER, 1024, 1024000000, DEFAULT_MAX_HDR, log); + } + public void setProperty(String key,String value){ properties.setProperty(key, value); } Modified: gateway/trunk/src/main/java/eu/unicore/gateway/util/BufferingProxyReader.java =================================================================== --- gateway/trunk/src/main/java/eu/unicore/gateway/util/BufferingProxyReader.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/java/eu/unicore/gateway/util/BufferingProxyReader.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -32,10 +32,10 @@ private CharArrayWriterExt buffer; private int bufPtr; private int markedPos; - private static final int MAX_HDR = 102400; + private int maxHeader; private Logger log = null; - - public BufferingProxyReader(Reader reader, Logger log) + + public BufferingProxyReader(Reader reader, Logger log, int maxHeader) { this.reader = reader; buffer = new CharArrayWriterExt(10240); @@ -43,9 +43,9 @@ markedPos = -1; if (log != null && log.isTraceEnabled()) this.log = log; + this.maxHeader = maxHeader; } - - + @Override public int read(char[] cbuf, int off, int len) throws IOException { @@ -56,9 +56,9 @@ log.trace("[INPUT]" + new String(cbuf, off, ret)); return ret; } - if (len + bufPtr >= MAX_HDR) + if (len + bufPtr >= maxHeader) throw new IOException("Header is too large. Gateway supports up to " + - MAX_HDR + "b headers"); + maxHeader + "b headers"); int readChars = reader.read(cbuf, off, len); buffer.write(cbuf, off, readChars); bufPtr += readChars; Modified: gateway/trunk/src/main/package/distributions/Default/src/etc/unicore/gateway/gateway.properties =================================================================== --- gateway/trunk/src/main/package/distributions/Default/src/etc/unicore/gateway/gateway.properties 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/main/package/distributions/Default/src/etc/unicore/gateway/gateway.properties 2011-10-28 12:59:44 UTC (rev 11612) @@ -16,7 +16,6 @@ http.connection.maxPerService = 20 # HTTP client configuration END - #If the network behind gateway is secure leave the following settings unchanged # (yes - it is the usual case). However if you wish to secure consignor # assertions issued by gateway by signing them, change the following to true. @@ -64,5 +63,8 @@ # (needs extension jar files installed in the lib directory!) #proxyValidator=<class name> +# Maximum size of an accepted SOAP header, in bytes. It is extremely rare +# that changing the default value is necessary. +soapMaxHeader=102400 Modified: gateway/trunk/src/test/java/eu/unicore/gateway/TestBufferingProxyReader.java =================================================================== --- gateway/trunk/src/test/java/eu/unicore/gateway/TestBufferingProxyReader.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/test/java/eu/unicore/gateway/TestBufferingProxyReader.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -5,6 +5,7 @@ import java.io.StringReader; import java.nio.charset.Charset; +import eu.unicore.gateway.properties.GatewayProperties; import eu.unicore.gateway.util.BufferingProxyReader; import junit.framework.TestCase; @@ -13,7 +14,8 @@ public void test1()throws Exception { StringReader sr = new StringReader("1234567890abcde"); - BufferingProxyReader proxy = new BufferingProxyReader(sr, null); + BufferingProxyReader proxy = new BufferingProxyReader(sr, null, + GatewayProperties.DEFAULT_MAX_HDR); char cbuf[] = new char[5]; int r = proxy.read(cbuf); proxy.setMarkedPos(5); @@ -44,7 +46,8 @@ String f3 = Utils.readFile(new File("src/test/resources/f3")); StringReader sr = new StringReader(f1+f2+f3); - BufferingProxyReader proxy = new BufferingProxyReader(sr, null); + BufferingProxyReader proxy = new BufferingProxyReader(sr, null, + GatewayProperties.DEFAULT_MAX_HDR); char cbuf[] = new char[f1.length()]; int r = proxy.read(cbuf); proxy.setMarkedPos(cbuf.length); Modified: gateway/trunk/src/test/java/eu/unicore/gateway/TestInsertConsignor.java =================================================================== --- gateway/trunk/src/test/java/eu/unicore/gateway/TestInsertConsignor.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/test/java/eu/unicore/gateway/TestInsertConsignor.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -9,6 +9,7 @@ import eu.unicore.gateway.ConsignorProducer; import eu.unicore.gateway.base.RawMessageExchange; +import eu.unicore.gateway.properties.GatewayProperties; import junit.framework.TestCase; public class TestInsertConsignor extends TestCase @@ -42,7 +43,8 @@ try { StringWriter w = new StringWriter(); - RawMessageExchange mex = new RawMessageExchange(new FileReader(f), w); + RawMessageExchange mex = new RawMessageExchange(new FileReader(f), w, + GatewayProperties.DEFAULT_MAX_HDR); new HeadersParser("http://localhost").parseHeaders(mex); if (checkWSA) { Modified: gateway/trunk/src/test/java/eu/unicore/gateway/TestPOSTProcessingPerf.java =================================================================== --- gateway/trunk/src/test/java/eu/unicore/gateway/TestPOSTProcessingPerf.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/test/java/eu/unicore/gateway/TestPOSTProcessingPerf.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -13,6 +13,7 @@ import eu.unicore.gateway.ConsignorProducer; import eu.unicore.gateway.base.RawMessageExchange; +import eu.unicore.gateway.properties.GatewayProperties; import eu.unicore.gateway.util.StopWatch; import junit.framework.TestCase; @@ -37,7 +38,8 @@ try { watch.start(); - RawMessageExchange mex = new RawMessageExchange(fr, w); + RawMessageExchange mex = new RawMessageExchange(fr, w, + GatewayProperties.DEFAULT_MAX_HDR); watch.snapshot(); new HeadersParser("http://localhost").parseHeaders(mex); watch.snapshot(); Modified: gateway/trunk/src/test/java/eu/unicore/gateway/TestParseHeaders.java =================================================================== --- gateway/trunk/src/test/java/eu/unicore/gateway/TestParseHeaders.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/test/java/eu/unicore/gateway/TestParseHeaders.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -14,6 +14,7 @@ import eu.unicore.gateway.POSTHandler; import eu.unicore.gateway.base.RawMessageExchange; +import eu.unicore.gateway.properties.GatewayProperties; import junit.framework.TestCase; @@ -28,7 +29,8 @@ { try{ StringWriter w=new StringWriter(); - RawMessageExchange mex = new RawMessageExchange(new FileReader(f), w); + RawMessageExchange mex = new RawMessageExchange(new FileReader(f), w, + GatewayProperties.DEFAULT_MAX_HDR); HeadersParser hp = new HeadersParser("http://localhost"); hp.parseHeaders(mex); assertEquals("http://localhost:8080/s1/services/hello",mex.getWsaToAddress()); @@ -76,7 +78,8 @@ String resp = readFile(f2); StringWriter w = new StringWriter(); - RawMessageExchange mex = new RawMessageExchange(new FileReader(f), w); + RawMessageExchange mex = new RawMessageExchange(new FileReader(f), w, + GatewayProperties.DEFAULT_MAX_HDR); ByteArrayInputStream bais = new ByteArrayInputStream(resp.getBytes()); POSTHandler.forwardResponse(bais, "utf8", mex, log); Modified: gateway/trunk/src/test/java/eu/unicore/gateway/TestParseWrongHeaders.java =================================================================== --- gateway/trunk/src/test/java/eu/unicore/gateway/TestParseWrongHeaders.java 2011-10-28 12:18:28 UTC (rev 11611) +++ gateway/trunk/src/test/java/eu/unicore/gateway/TestParseWrongHeaders.java 2011-10-28 12:59:44 UTC (rev 11612) @@ -10,6 +10,7 @@ import eu.unicore.bugsreporter.annotation.FunctionalTest; import eu.unicore.gateway.base.RawMessageExchange; +import eu.unicore.gateway.properties.GatewayProperties; import eu.unicore.gateway.soap.SoapFault; import eu.unicore.gateway.soap.SoapFault.FaultCode; @@ -26,7 +27,8 @@ try { StringWriter w = new StringWriter(); - RawMessageExchange mex = new RawMessageExchange(r, w); + RawMessageExchange mex = new RawMessageExchange(r, w, + GatewayProperties.DEFAULT_MAX_HDR); HeadersParser hp = new HeadersParser("http://localhost"); hp.parseHeaders(mex); fail("Wrong headers parsed successfully"); This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |