users@jersey.java.net

Re: [Jersey] SAX Feature error in Jersey 1.1.4.1

From: Phil Griffin <phil.griffin_at_oracle.com>
Date: Wed, 17 Feb 2010 15:02:12 -0700

On 2/17/2010 1:28 AM, Paul Sandoz wrote:
>
> On Feb 17, 2010, at 1:06 AM, Phil Griffin wrote:
>
>> Hi Paul,
>> Thanks for the reply. It's a little hard to confirm what version the
>> SAX parser is...looks like it could be Xerces 2.8.1?
>> Is it likely the change in behavior occurred between Jersey 1.0.2 and
>> 1.1.4.1?
>
> Yes, i added support for setting the security settings on the JAXP
> parsers in Jersey 1.0.3.1 and 1.1.4.
>
> Actually i went back and looked at the code and you can disable this, see:
>
> https://jersey.dev.java.net/nonav/apidocs/latest/jersey/com/sun/jersey/core/util/FeaturesAndProperties.html#FEATURE_DISABLE_XML_SECURITY
Thanks - yes adding this to web.xml is a workaround (while I'm
confirming if the bundled Xerces I'm required to use can be updated?)
<param-name>com.sun.jersey.config.feature.DisableXmlSecurity</param-name>
      <param-value>true</param-value>
>
>
>> If so, what version of Xerces would be compatible?
>>
>
> Not sure :-( but Tatu provides some more details in his email.
>
> Paul.
>
>> -Phil
>>
>> On 2/16/2010 2:15 PM, Paul Sandoz wrote:
>>> Hi Phil,
>>>
>>> What is the implementation and version of the SAX parser you are using?
>>>
>>> This warning is important because Jersey cannot configure the
>>> parsing to protect against certain XML-based denial of service
>>> attacks. So if you are building public-facing services that consume
>>> XML your application could be at risk.
>>>
>>> Currently the only way to disable this is to disable JDK logging.
>>>
>>> If you really need this disabled can you log a enhancement and we
>>> can had a feature to disable security-based configuration?
>>>
>>> Paul.
>>>
>>> On Feb 16, 2010, at 6:54 PM, Phil Griffin wrote:
>>>
>>>> I recently updated our Jersey jars to 1.1.4.1 and began getting a
>>>> JAXP parser registry exception for a non-supported feature (in the
>>>> factory I'm required to use). Is there a way to disable the
>>>> com.sun.jersey.core.provider.jaxb.AbstractJAXBProvider or Jersey
>>>> from expecting this feature?
>>>>
>>>> WebLogicSAXParser cannot be created.SAX feature
>>>> /@ &#39;http://xml.org/sax/features/external-general-entities'
>>>> <http://xml.org/sax/features/external-general-entities%27> not
>>>> supported
>>>>
>>>> Thanks,
>>>> Phil
>>>> /
>>>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.