Search code examples
jersey-clientjersey-2.0

WARNING: JAXP feature XMLConstants.FEATURE_SECURE_PROCESSING on Jersey2.x Client

Sep 22, 2013 5:15:00 PM org.glassfish.jersey.message.internal.SecureSaxParserFactory 

WARNING: JAXP feature XMLConstants.FEATURE_SECURE_PROCESSING cannot be set on a SAXParserFactory. External general entity processing is disabled but other potential security related features will not be enabled.
org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
    at org.apache.xerces.parsers.AbstractSAXParser.setFeature(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserImpl.setFeatures(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserImpl.<init>(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserFactoryImpl.newSAXParserImpl(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserFactoryImpl.setFeature(Unknown Source)
    at org.glassfish.jersey.message.internal.SecureSaxParserFactory.<init>(SecureSaxParserFactory.java:107)...

I can use config.getFeatures().put(FeaturesAndProperties.FEATURE_DISABLE_XML_SECURITY, true);

to avoid this warning message on Jersey1.x, but when I migrated to Jersey2.x, there's no this feature setting. How could I do to avoid it again on Jersey2.x? Thanks!

Solution

  • In JAXP 1.3, which is bundled with Java 1.5 and available as an option in earlier versions, you can limit all of these potential overflows by setting the SAX feature http://javax.xml.XMLConstants/feature/secure-processing (XMLConstants.FEATURE_SECURE_PROCESSING). Once you've set that feature, any excessively long constructs -- whether too many attributes in an element or too many characters in an element name -- will be treated as well-formedness errors. This means you may end up rejecting some genuinely well-formed documents; however, the default values are quite large and can handle most realistic documents.

    In Jersey2.x, to check if disable this feature is here: org.glassfish.jersey.message.internal.AbstractXmlFactory boolean isXmlSecurityDisabled() { return PropertiesHelper.isProperty(config.getProperty(MessageProperties.XML_SECURITY_DISABLE)); } We can find that Jersey uses MessageProperties.XML_SECURITY_DISABLE parameter to check this setting.

    So, we can set it separately: Server:

    @ApplicationPath("/*")
public class XXXResourceConfig extends ResourceConfig {
    public XXXResourceConfig() {
        packages("xxx.yyy.zzz");
        property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);
    }
}

    Client:

    ClientConfig config = new ClientConfig();
...
config.property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);