0

为了防止XXE攻击,我试图覆盖weblogic 12c的默认DocumentBuilderFactoryImpl并使用我自己的解析器。

我正在尝试下面的代码。

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;

import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl;

public class CustomDocumentBuilderFactoryImpl extends DocumentBuilderFactoryImpl  {

    @Override
    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
        System.out.println("*************************************************************************************");
        System.out.println("*************************************************************************************");
        System.out.println("Adding Features to DocumentBuilder.....");


        super.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
        super.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        super.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        super.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        super.setFeature("http://apache.org/xml/features/dom/defer-node-expansion", false);
        super.setXIncludeAware(false);
        super.setExpandEntityReferences(false);
        System.out.println("Returning DocumentBuilder.....");
        System.out.println("*************************************************************************************");
        System.out.println("*************************************************************************************");
       return super.newDocumentBuilder();
    }

    @Override
    public void setAttribute(String name, Object value) throws IllegalArgumentException {
        // TODO Auto-generated method stub

    }

    @Override
    public Object getAttribute(String name) throws IllegalArgumentException {
        // TODO Auto-generated method stub
        return null;
    }

    @Override
    public void setFeature(String name, boolean value) throws ParserConfigurationException {
        // TODO Auto-generated method stub

    }

    @Override
    public boolean getFeature(String name) throws ParserConfigurationException {
        // TODO Auto-generated method stub
        return false;
    }

}

但没有运气。

谁能帮我这个?有没有办法做到这一点?

*****编辑******

我已经尝试过 Spring-Security 配置来防止 XXE。

<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" scope="singleton"
          init-method="initialize">
        <property name="builderFeatures">
            <map>
                <entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
                <entry key="http://javax.xml.XMLConstants/feature/secure-processing" value="true"/>
                <entry key="http://apache.org/xml/features/disallow-doctype-decl" value="true"/>
                <entry key="javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING" value="true"/>
            </map>
        </property>
<!--        <property name="builderFactory" ref="builderFactoryCustom"/>-->

        <property name="namespaceAware" value="true"/>
        <property name="expandEntityReferences" value="false"/>
    </bean>

此代码适用于 Tomcat,但不适用于 Weblogic。

4

0 回答 0