Prevent parsing XML files containing DTDs with Jaxb2Marshaller

Question

Prevent parsing XML files containing DTDs with Jaxb2Marshaller

I have seen many solutions using XMLInputFactory, SAXParser and DocumentBuilderFactory. Our web service is spring and the only thing we do:

@Bean
public Jaxb2Marshaller unmarshaller() {
   Jaxb2Marshaller unmarshaller = new Jaxb2Marshaller();
   unmarshaller.setContextPath("foo");
   unmarshaller.setProcessExternalEntities(false);
   return unmarshaller;
}

And then we pass this marshaller and unmarshaller to MarshallingPayloadMethodProcessor. So my question is, there is some property for Jaxb2Marshaller that will prevent DTD. Sort of:unmarshaller.setProperty(foo.SUPPORT_DTD, false);

We have a .xsd schema, but in the case of xml bomb, the object should be deleted due to validation, so it seems like this is not a solution.

+4

java spring xml jaxb

jerdno Oct 30 '14 at 9:59

source share

1 answer

lexicore · Answer 1 · 2014-10-30T10:56:20+0000

As far as I can see from the code, this should be the default behavior.

JAXB RI com.sun.xml.bind.disableXmlSecurity, false. JAXB RI , . , FEATURE_SECURE_PROCESSING :

        SAXParserFactory factory = SAXParserFactory.newInstance();
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory);
        }
        factory.setNamespaceAware(true);
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
        return factory;

javax.xml.accessExternalDTD.

. :

DTD JAXB2.0

, .

Prevent parsing XML files containing DTDs with Jaxb2Marshaller

More articles: