Is it possible to prevent an xxe attack on web service deployed on jboss 4.2 somehow? WS is defined by annotation. I can not find any configuration to disable supporting external entities and dtd.
In this post (Prevent XXE Attack with JAXB) is a solution for parsing soap in servlet, but i need something for annotated WS.
经过长时间调试 jboss 的代码后,我找到了针对 jboss 4.2.2 的 XXE 攻击的修复程序
在 DOMUtils.class(位于 jbossws-common.jar 中)中,我在 DocumentBuilderFactory 实例上添加了额外的功能:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
它解决了这个问题。