WebLogic XML External Entity Resolution: Is there any other way besides using an XML registry?

Question

WebLogic XML External Entity Resolution: Is there any other way besides using an XML registry?

We have an application that uses SiteMesh, and when WebLogic tries to parse the TLD files, it sees the DOCTYPE specification, which contains a link to the DTD DTLD, at " http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd ".

The server cannot initiate outgoing Internet connections and therefore cannot receive DTDs, which leads to a failure in application deployment.

I understand that this problem can be solved by setting up the XML registry in the WebLogic console and specifying the local file that should be returned when trying to solve, for example, " http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd ".

Is there another way to prevent the server from going online to allow a link to an external object? Packing DTDs with the application and somehow informing the server to look for DTDs there, and not "there"?

+4

java-ee xml resolution weblogic dtd

Chris goldman Jul 30 '09 at 10:24

source share

1 answer

John archer · Accepted Answer · 2012-09-26T15:52:16+0000

Quick question: are you trying to do this for security reasons? How to prevent any attack XXE?

If so, you can implement your own EntityResolver and handle how the parser searches locally or remotely.

Examples can be found here https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61702260

otherwise, you need to set the XMLInputFactory configuration properties to get the desired behavior. especially javax.xml.stream.isSupportingExternalEntities and javax.xml.stream.isValidating just depends if you think you need validation.

http://docs.oracle.com/javaee/5/api/javax/xml/stream/XMLInputFactory.html

Also check out the StaX parser if that makes sense for your use.

WebLogic XML External Entity Resolution: Is there any other way besides using an XML registry?

More articles: