users@jersey.java.net

Re: [Jersey] SAXParserContextProvider and secure-processing Exception

From: Cemo Koc <cem.koc.fwd_at_gmail.com>
Date: Wed, 30 Dec 2009 03:42:39 -0800 (PST)

Hi Paul,

I am using JAXB implementation of Sun.

<dependency>
    <groupId>com.sun.xml.bind</groupId>
    <artifactId>jaxb-impl</artifactId>
    <version>2.1.12</version>
</dependency>

But I do not know why it is raising exceptions?

Thanks





Paul Sandoz wrote:
>
> Hi Cemo,
>
> On Dec 29, 2009, at 6:28 PM, Cemo Koc wrote:
>
>>
>> Hi all,
>>
>> I have GFv3 server with 5 application. Each of them has own client
>> module
>> with Jersey Client. I am using latest snapshot of Jersey...
>>
>> My problem is about SAX...
>>
>> [#|2009-12-29T18:15:09.879+0200|WARNING|glassfishv3.0|
>> com.sun.jersey.core.impl.provider.xml.SAXParserContextProvider|
>> _ThreadID=27;_ThreadName=Thread-1;|JAXP
>> feature XMLConstants.FEATURE_SECURE_PROCESSING cannot be set on a
>> SAXParserFactory. External general entity processing is disbaled but
>> other
>> potential securty related features will not be enabled.
>> org.xml.sax.SAXNotRecognizedException: Feature
>> 'http://javax.xml.XMLConstants/feature/secure-processing' is not
>> recognized.
>> at
>> org.apache.xerces.parsers.AbstractSAXParser.setFeature(Unknown
>> Source)
>> at org.apache.xerces.jaxp.SAXParserImpl.setFeatures(Unknown
>> Source)
>> at org.apache.xerces.jaxp.SAXParserImpl.<init>(Unknown Source)
>>
>>
>> 1) Is there anyone who has idea about what is causing this exception?
>>
>
> The Apache Xerces implementation that you are using, and included in
> the war?, does not support the feature
> "http://javax.xml.XMLConstants/feature/secure-processing
> ":
>
>
> http://java.sun.com/javase/6/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
>
> By default Jersey will enabled secure XML processing where possible
> and log a warning if this cannot be set.
>
>
>>
>> My second attempt to solve problem in my client to prohibit its
>> usage I
>> tried to use
>>
>>
>> DefaultClientConfig config = new DefaultClientConfig();
>>
>> config.getProperties().put(ClientConfig.FEATURE_DISABLE_XML_SECURITY,
>> "true");
>> client = Client.create(config);
>>
>
>
> You need to do the following:
>
> config.getFeatures().put(ClientConfig.FEATURE_DISABLE_XML_SECURITY,
> true);
>
>
>> and
>>
>>
>> <param-name>com.sun.jersey.config.feature.DisableXmlSecurity</param-
>> name>
>> <param-value>true</param-value>
>>
>
> The above is correct for server configuration in the web.xml.
>
>
>> But when I am debugging I could sometimes successfully see another
>> Config
>> which has that feature enabled...
>>
>> disableXmlSecurity =
>> fps.getFeature(FeaturesAndProperties.FEATURE_DISABLE_XML_SECURITY);
>>
>>
>> 2 ) Is this behaviour expected?
>>
>>
>> 3 ) How can I fix these errors?
>>
>
> Upgrade Xerces to a JAXP supported version (assuming there is one) or
> use the default provided by the JDK.
>
> Paul.
>
>

-- 
View this message in context: http://n2.nabble.com/SAXParserContextProvider-and-secure-processing-Exception-tp4228536p4231890.html
Sent from the Jersey mailing list archive at Nabble.com.