On Feb 17, 2010, at 1:06 AM, Phil Griffin wrote:
> Hi Paul,
> Thanks for the reply. It's a little hard to confirm what version the
> SAX parser is...looks like it could be Xerces 2.8.1?
> Is it likely the change in behavior occurred between Jersey 1.0.2
> and 1.1.4.1?
Yes, i added support for setting the security settings on the JAXP
parsers in Jersey 1.0.3.1 and 1.1.4.
Actually i went back and looked at the code and you can disable this,
see:
https://jersey.dev.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/core/util/FeaturesAndProperties.html
#FEATURE_DISABLE_XML_SECURITY
> If so, what version of Xerces would be compatible?
>
Not sure :-( but Tatu provides some more details in his email.
Paul.
> -Phil
>
> On 2/16/2010 2:15 PM, Paul Sandoz wrote:
>>
>> Hi Phil,
>>
>> What is the implementation and version of the SAX parser you are
>> using?
>>
>> This warning is important because Jersey cannot configure the
>> parsing to protect against certain XML-based denial of service
>> attacks. So if you are building public-facing services that consume
>> XML your application could be at risk.
>>
>> Currently the only way to disable this is to disable JDK logging.
>>
>> If you really need this disabled can you log a enhancement and we
>> can had a feature to disable security-based configuration?
>>
>> Paul.
>>
>> On Feb 16, 2010, at 6:54 PM, Phil Griffin wrote:
>>
>>> I recently updated our Jersey jars to 1.1.4.1 and began getting a
>>> JAXP parser registry exception for a non-supported feature (in the
>>> factory I'm required to use). Is there a way to disable the
>>> com.sun.jersey.core.provider.jaxb.AbstractJAXBProvider or Jersey
>>> from expecting this feature?
>>>
>>> WebLogicSAXParser cannot be created.SAX feature
>>> @ 'http://xml.org/sax/features/external-general-entities' not
>>> supported
>>>
>>> Thanks,
>>> Phil
>>