JSON Threat Protection
JSON Threat Protection policy as the name suggests is a protection policy for the APIs to protect them from miscellaneous HTTP request which are inflated to bring down the APIs server. Request can contain an inflated request in which they can increase the JSON depth, object name and values and array length. Dummy request will take more time to process and result into out of memory or performance issue. Such request should be denied at entry level only.
In this policy we usually define the right structure for the JSON request we will receive e.g. Depth, Object name and value length and Array size.
To Start with we will create a mule application and connect it with API manager – please see how we can connect the mulesoft application to API Manager
After deployment in Cloudhub the API manager configuration will come as Active
Now we will apply the JSON Threat Protection policy
Select JSON Threat Protection
Now update the policy configuration
We can see below properties
- Maximum Container Depth – Specifies the maximum nested depth. JSON allows you to nest the containers (object and array) in any order to any depth
- Maximum String Value Length – Specifies the maximum length of a string value
- Maximum Object Entry Name Length – Specifies the maximum string length of an object’s entry name
- Maximum Object Entry Count – Specifies the maximum number of entries in an object
- Maximum Array Element Count – Specifies the maximum number of elements in an array
So for below JSON request
{ "employees":[ { "name":"hrithik", "email":"[email protected]" }, { "name":"Bob", "email":"[email protected]" }, { "name":"Jai", "email":"[email protected]" } ] }
We can have below value to make it a valid request
- Maximum Container Depth – 3 – which is root -> employee -> (name, email)
- Maximum String Value Length – 23 – e.g. max length value in JSON – [email protected]
- Maximum Object Entry Name Length – 9 – maximum string length of an object’s entry name in JSON – employees
- Maximum Object Entry Count – 2 – Specifies the maximum number of entries in an object – employee – (name and email)
- Maximum Array Element Count – 3 – employee array count
Lets populate the field as per our need
Click apply
Now if we test this API in SOAP UI
For valid request
Increase the container depth
Increase the String value length
Increase the object entry name
Increase the number of entries allowed in an object
Increase the array element count
Sample application – sample-rest-service-json-threat-protection
Sample SOAP UI project – sample-rest-service-json-threat-protection
I have a question. Can this policy be applied to the response payload of GET requests as well?
This is only for request schema.
Thanks,
Mulesy Team