Re: [Jersey] SAX Feature error in Jersey

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Wed, 17 Feb 2010 09:28:43 +0100

On Feb 17, 2010, at 1:06 AM, Phil Griffin wrote:

> Hi Paul,
> Thanks for the reply. It's a little hard to confirm what version the
> SAX parser is...looks like it could be Xerces 2.8.1?
> Is it likely the change in behavior occurred between Jersey 1.0.2
> and

Yes, i added support for setting the security settings on the JAXP
parsers in Jersey and 1.1.4.

Actually i went back and looked at the code and you can disable this,

> If so, what version of Xerces would be compatible?

Not sure :-( but Tatu provides some more details in his email.


> -Phil
> On 2/16/2010 2:15 PM, Paul Sandoz wrote:
>> Hi Phil,
>> What is the implementation and version of the SAX parser you are
>> using?
>> This warning is important because Jersey cannot configure the
>> parsing to protect against certain XML-based denial of service
>> attacks. So if you are building public-facing services that consume
>> XML your application could be at risk.
>> Currently the only way to disable this is to disable JDK logging.
>> If you really need this disabled can you log a enhancement and we
>> can had a feature to disable security-based configuration?
>> Paul.
>> On Feb 16, 2010, at 6:54 PM, Phil Griffin wrote:
>>> I recently updated our Jersey jars to and began getting a
>>> JAXP parser registry exception for a non-supported feature (in the
>>> factory I'm required to use). Is there a way to disable the
>>> com.sun.jersey.core.provider.jaxb.AbstractJAXBProvider or Jersey
>>> from expecting this feature?
>>> WebLogicSAXParser cannot be created.SAX feature
>>> @ &#39;' not
>>> supported
>>> Thanks,
>>> Phil