users@jersey.java.net

Re: [Jersey] SAXParserContextProvider and secure-processing Exception

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Wed, 30 Dec 2009 11:06:27 +0100

Hi Cemo,

On Dec 29, 2009, at 6:28 PM, Cemo Koc wrote:

>
> Hi all,
>
> I have GFv3 server with 5 application. Each of them has own client
> module
> with Jersey Client. I am using latest snapshot of Jersey...
>
> My problem is about SAX...
>
> [#|2009-12-29T18:15:09.879+0200|WARNING|glassfishv3.0|
> com.sun.jersey.core.impl.provider.xml.SAXParserContextProvider|
> _ThreadID=27;_ThreadName=Thread-1;|JAXP
> feature XMLConstants.FEATURE_SECURE_PROCESSING cannot be set on a
> SAXParserFactory. External general entity processing is disbaled but
> other
> potential securty related features will not be enabled.
> org.xml.sax.SAXNotRecognizedException: Feature
> 'http://javax.xml.XMLConstants/feature/secure-processing' is not
> recognized.
> at
> org.apache.xerces.parsers.AbstractSAXParser.setFeature(Unknown
> Source)
> at org.apache.xerces.jaxp.SAXParserImpl.setFeatures(Unknown
> Source)
> at org.apache.xerces.jaxp.SAXParserImpl.<init>(Unknown Source)
>
>
> 1) Is there anyone who has idea about what is causing this exception?
>

The Apache Xerces implementation that you are using, and included in
the war?, does not support the feature "http://javax.xml.XMLConstants/feature/secure-processing
":

   http://java.sun.com/javase/6/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

By default Jersey will enabled secure XML processing where possible
and log a warning if this cannot be set.


>
> My second attempt to solve problem in my client to prohibit its
> usage I
> tried to use
>
>
> DefaultClientConfig config = new DefaultClientConfig();
>
> config.getProperties().put(ClientConfig.FEATURE_DISABLE_XML_SECURITY,
> "true");
> client = Client.create(config);
>


You need to do the following:

   config.getFeatures().put(ClientConfig.FEATURE_DISABLE_XML_SECURITY,
true);


> and
>
>
> <param-name>com.sun.jersey.config.feature.DisableXmlSecurity</param-
> name>
> <param-value>true</param-value>
>

The above is correct for server configuration in the web.xml.


> But when I am debugging I could sometimes successfully see another
> Config
> which has that feature enabled...
>
> disableXmlSecurity =
> fps.getFeature(FeaturesAndProperties.FEATURE_DISABLE_XML_SECURITY);
>
>
> 2 ) Is this behaviour expected?
>
>
> 3 ) How can I fix these errors?
>

Upgrade Xerces to a JAXP supported version (assuming there is one) or
use the default provided by the JDK.

Paul.
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.