This is regarding avoiding XXE attack while using JAXB APIs. I understand that when using JAXB, the default parsing mechanism can be overridden and an alternate SAX Parser can be employed and set entity features to avoid XXE attacks. But would like to understand what exactly is the default parser and get the security features set on it. Any help?
Asked
Active
Viewed 5,168 times
1
-
What remains to be answered after reading the javadoc for Unmarshaller (class) and `Object unmarshal(Source source)`. I could quote it all in an answer, but this seems ridiculous. You can easily read the source code for the Unmarshaller implementation. – laune Aug 09 '14 at 06:36
1 Answers
2
You could do the following by leveraging JAXB with a StAX parser with external entity support disabled:
import javax.xml.bind.*;
import javax.xml.stream.*;
import javax.xml.transform.stream.StreamSource;
public class Demo {
public static void main(String[] args) throws Exception {
JAXBContext jc = JAXBContext.newInstance(Customer.class);
Unmarshaller unmarshaller = jc.createUnmarshaller();
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource("input.xml"));
Customer customer = (Customer) unmarshaller.unmarshal(xsr);
Marshaller marshaller = jc.createMarshaller();
marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
marshaller.marshal(customer, System.out);
}
}
bdoughan
- 147,609
- 23
- 300
- 400