I am using WildFly 8.0.0.Beta (which includes RestEasy 3.0.4). I am getting an
exception (below) for every POST request to JAX-RS web services. I've done some
digging, and found out that the exception occurs if in web.xml, I set
resteasy.document.expand.entity.references to false (the recommended value to
protect against XXE attacks). The POSTs all work fine if I set that to true
(but obviously the WS is then vulnerable).
This post is a follow on from my post on JBOSS 4.2.3 and Resteasy 3.0.4
compatibility.
The (shortened) exception log message is:
09:16:10,504 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-7)
Failed executing POST /services/1.0/tasks/subset/summary:
org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException:
javax.xml.bind.UnmarshalException: unexpected element (uri:"",
local:"taskFilterSequence"). Expected elements are
<{http://workflow.services.ewb.idbs.com<http://workflow.services.ewb.idbs.com/>}activeWorkflows>,
...
In JAXBXmlTypeProvider, the code does this if ...expand.entity.references is
false (this is around line 91)
if (suppressExpandEntityExpansion())
{
unmarshaller = new ExternalEntityUnmarshaller(unmarshaller);
}
The ExternalEntityUnmarshaller.unmarshal method appears to create an XMLReader
that is not namespace aware, i.e. no call to
SAXParserFactory.setNamespaceAware(true).
The default JAXB marshaller that is used when ...expand.entity.references is
true, IS namespace aware.
So, it would seem that the ExternalEntityUnmarshaller may need to also
setNamespaceAware(true)? Is there a reason why it is not namespace aware? I
don't know of the implications of this, so just asking for now. I don't want to
have to set that expand.entity.references to true because of the vulnerability
consequences.
The exception is:
09:16:10,504 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-10)
Failed executing POST /services/1.0/tasks/subset/summary:
org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException:
javax.xml.bind.UnmarshalException: unexpected element (uri:"",
local:"taskFilterSequence"). Expected elements are
<{http://workflow.services.ewb.idbs.com<http://workflow.services.ewb.idbs.com/>}activeWorkflows>,
...
at
org.jboss.resteasy.plugins.providers.jaxb.JAXBXmlTypeProvider.readFrom(JAXBXmlTypeProvider.java:109)
[resteasy-jaxb-provider-3.0.4.Final.jar:]
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:59)
[resteasy-jaxrs-3.0.4.Final.jar:]
at
org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:62)
[resteasy-jaxrs-3.0.4.Final.jar:]
<Snip>
Caused by: javax.xml.bind.UnmarshalException: unexpected element (uri:"",
local:"taskFilterSequence"). Expected elements are
<{http://workflow.services.ewb.idbs.com<http://workflow.services.ewb.idbs.com/>}activeWorkflows>,
...
at
com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext.handleEvent(UnmarshallingContext.java:662)
at
com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:258)
at
com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:253)
at
com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportUnexpectedChildElement(Loader.java:120)
at
com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext$DefaultRootLoader.childElement(UnmarshallingContext.java:1063)
<snip>
... 40 more
________________________________
The information contained in this email may contain confidential or legally
privileged information. If you are not the intended recipient any disclosure,
copying, distribution or taking any action on the contents of this information
may be unlawful. If you have received this email in error, please delete it
from your system and notify us immediately. Any views expressed in this message
are those of the individual sender, except where the message states otherwise.
IDBS takes no responsibility for any computer virus which might be transferred
by way of this email and recommends that you subject any incoming E-mail to
your own virus checking procedures. We may monitor all E-mail communication
through our networks. If you contact us by E-mail, we may store your name and
address to facilitate communication.
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
_______________________________________________
Resteasy-users mailing list
Resteasy-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/resteasy-users