stackoom
  简体   繁体   中英

Prevent XXE attack on jboss 4.2

 原文  2015-07-21 11:10:43       java/ web-services/ jboss/ jaxb/ xxe

Question

Is it possible to prevent an xxe attack on web service deployed on jboss 4.2 somehow? WS is defined by annotation. I can not find any configuration to disable supporting external entities and dtd.

In this post ( Prevent XXE Attack with JAXB ) is a solution for parsing soap in servlet, but i need something for annotated WS.

1 answers

solution1
 1  2015-07-27 11:06:36

After long hours of debuging jboss's code I've found a fix for XXE attack on jboss 4.2.2

In DOMUtils.class (located in jbossws-common.jar) I've added extra features on DocumentBuilderFactory instance: 

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

It solves the problem.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to prevent XXE attack Prevent XXE Attack with XStream Prevent XXE Attack with JAXB Prevent XXE Attack with JAXB XMLStreamReader How to prevent XML Injection like XML Bomb and XXE attack XXE billion laughs attack seems not to be mitigated as expected by the Sonar recommended solution to prevent XXE attacks JAXB XXE attack with Default Parser Prevent XXE fortify issue for TrasnformerFactory JspC in jboss 4.2 distribution Jboss 4.2 Class Loading
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM