This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

JSON Content threat policy not working as expected?

Posted on 06-16-2016 08:53 AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hello, we are interested in using this policy but could not find enough details from the Apigee doc. We added this policy to our proxy "Test_Proxy1" (demo9 Organization). 

<JSONThreatProtection name="JSON-Threat-Protection"> 
  <DisplayName>JSON Threat Protection</DisplayName> 
  <Properties/> 
  <ArrayElementCount>1</ArrayElementCount> 
  <ContainerDepth>-1</ContainerDepth> 
  <ObjectEntryCount>-1</ObjectEntryCount> 
  <ObjectEntryNameLength>-1</ObjectEntryNameLength> 
  <Source>request</Source> 
  <StringValueLength>-1</StringValueLength> 
</JSONThreatProtection>

We sent a request which will return array in response, ( the request will return the number of facility for a given organization), as per this policy set up now, there should be an error if the ArrayElementCount is more than 1.

Request we sent :

http://demo9-test.apigee.net/test_proxy/v0/orgs/10000003/facs/1/floors?apikey=y8yAHdA8JTBWE64nYAoUrA...

Response we received:

[
  { "orgId": 10000003, "facId": 1, "floorDesc": "2"},
  { "orgId": 10000003, "facId": 1, "floorDesc": "3"},
  { "orgId": 10000003, "facId": 1, "floorDesc": "4"}
]

Since we set ArrayElementCount =1, I expect the error code to be JSONThreatProtection[{0}]: Exceeded array element count at line {1} but on the other hand it doesnt show any error though the response has more than one element in array.

Are we missing something here, can someone clarify?

thanks !

Solved Solved
1 4 184
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

@HariniJayaraman

Yes, you're missing something. 🙂 You've added the protection policy in the request flow. You'd want the protection policy in the response flow (since you want the policy applied to the response).

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

@HariniJayaraman

Which API Proxy are you trying this in? I can take a look at the config

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

https://enterprise.apigee.com/platform/demo9/proxies/Test_Proxy1/develop/1

Proxy Name : Test_Proxy1

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

@HariniJayaraman

Yes, you're missing something. 🙂 You've added the protection policy in the request flow. You'd want the protection policy in the response flow (since you want the policy applied to the response).

Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

Perfect yes, it works on response and I also modified <source> to message as below. We are going to test couple of more scenarios , and keep this thread posted if any issues. 

<JSONThreatProtection name="JSON-Threat-Protection"> 
  <DisplayName>JSON Threat Protection</DisplayName> 
  <Properties/> 
  <ArrayElementCount>1</ArrayElementCount> 
  <ContainerDepth>-1</ContainerDepth> 
  <ObjectEntryCount>-1</ObjectEntryCount> 
  <ObjectEntryNameLength>-1</ObjectEntryNameLength> 
  <!-- Source:message works on response when in response flow -->
  <Source>message</Source>
  <StringValueLength>-1</StringValueLength> 
</JSONThreatProtection>
Jump to Solution
0 Likes