[Resteasy-users] resteasy.document.expand.entity.references=false gives javax.xml.bind.UnmarshalException: unexpected element for POSTs

Mon, 21 Oct 2013 03:01:26 -0700 

I am using WildFly 8.0.0.Beta (which includes RestEasy 3.0.4). I am getting an 
exception (below) for every POST request to JAX-RS web services. I've done some 
digging, and found out that the exception occurs if in web.xml, I set 
resteasy.document.expand.entity.references to false (the recommended value to 
protect against XXE attacks). The POSTs all work fine if I set that to true 
(but obviously the WS is then vulnerable).



This post is a follow on from my post on JBOSS 4.2.3 and Resteasy 3.0.4 
compatibility.



The (shortened) exception log message is:



09:16:10,504 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default task-7)  
Failed executing POST /services/1.0/tasks/subset/summary: 
org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException: 
javax.xml.bind.UnmarshalException: unexpected element (uri:"", 
local:"taskFilterSequence"). Expected elements are 
<{http://workflow.services.ewb.idbs.com<http://workflow.services.ewb.idbs.com/>}activeWorkflows>,
 ...



In JAXBXmlTypeProvider, the code does this if ...expand.entity.references is 
false (this is around line 91)



         if (suppressExpandEntityExpansion())

         {

            unmarshaller = new ExternalEntityUnmarshaller(unmarshaller);

         }



The ExternalEntityUnmarshaller.unmarshal method appears to create an XMLReader 
that is not namespace aware, i.e. no call to 
SAXParserFactory.setNamespaceAware(true).



The default JAXB marshaller that is used when ...expand.entity.references is 
true, IS namespace aware.



So, it would seem that the ExternalEntityUnmarshaller may need to also 
setNamespaceAware(true)? Is there a reason why it is not namespace aware? I 
don't know of the implications of this, so just asking for now. I don't want to 
have to set that expand.entity.references to true because of the vulnerability 
consequences.



The exception is:



09:16:10,504 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default task-10) 
Failed executing POST /services/1.0/tasks/subset/summary: 
org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException: 
javax.xml.bind.UnmarshalException: unexpected element (uri:"", 
local:"taskFilterSequence"). Expected elements are 
<{http://workflow.services.ewb.idbs.com<http://workflow.services.ewb.idbs.com/>}activeWorkflows>,
 ...

  at 
org.jboss.resteasy.plugins.providers.jaxb.JAXBXmlTypeProvider.readFrom(JAXBXmlTypeProvider.java:109)
 [resteasy-jaxb-provider-3.0.4.Final.jar:]

  at 
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:59)
 [resteasy-jaxrs-3.0.4.Final.jar:]

  at 
org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:62)
 [resteasy-jaxrs-3.0.4.Final.jar:]

<Snip>

Caused by: javax.xml.bind.UnmarshalException: unexpected element (uri:"", 
local:"taskFilterSequence"). Expected elements are 
<{http://workflow.services.ewb.idbs.com<http://workflow.services.ewb.idbs.com/>}activeWorkflows>,
 ...

  at 
com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext.handleEvent(UnmarshallingContext.java:662)

  at 
com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:258)

  at 
com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:253)

  at 
com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportUnexpectedChildElement(Loader.java:120)

at 
com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext$DefaultRootLoader.childElement(UnmarshallingContext.java:1063)

<snip>

  ... 40 more


________________________________

The information contained in this email may contain confidential or legally 
privileged information. If you are not the intended recipient any disclosure, 
copying, distribution or taking any action on the contents of this information 
may be unlawful. If you have received this email in error, please delete it 
from your system and notify us immediately. Any views expressed in this message 
are those of the individual sender, except where the message states otherwise. 
IDBS takes no responsibility for any computer virus which might be transferred 
by way of this email and recommends that you subject any incoming E-mail to 
your own virus checking procedures. We may monitor all E-mail communication 
through our networks. If you contact us by E-mail, we may store your name and 
address to facilitate communication.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Resteasy-users mailing list
Resteasy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/resteasy-users

Reply via email to