On Jul 9, 2009, at 11:03 PM, Tatu Saloranta wrote:
> On Thu, Jul 9, 2009 at 8:56 AM, Tim McCune<tim_at_mccune.name> wrote:
>> Catching up on this thread.
>>
>> The unit test example that I provided shows that it works in
>> Grizzly. We
>> originally encountered the problem in Tomcat. So have seen it in
>> both.
> ...
>> really cool if Jersey provided a way to do that out of the box.
>> Anyway, in
>> order to accomplish this, we're providing our own Unmarshaller, and
>> in turn,
>> our own SAX parser. So the easy fix for us was to call this on the
>> SAXParserFactory:
>>
>> parserFactory.setFeature("http://xml.org/sax/features/external-general-entities
>> ",
>> Boolean.FALSE);
>>
>> Maybe Jersey just needs to always do the same when parsing XML
>> instead of
>> simply passing the raw InputStream in.
>
> Also: similar option exists with Stax API,
> XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES;
> factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES.
> Boolean.FALSE);
> would do the trick.
>
> Given that you don't necessarily get to choose which parser gets
> instantiated by Jersey, it would make sense to use a more generic
> setting which can then translate to what is needed by specific parser
> being instantiated?
Yes, and by default it will be set to true, meaning security is enabled.
Paul.
> Plus it definitely would be reasonable to set this when "secure mode"
> is enabled.
>
> -+ Tatu +-
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>