On Aug 29, 2013, at 4:16 PM, Osvaldo Pina <[email protected]> wrote:
> Daniel, > > I was taking a look at StaxUtils class and I saw that there is some > code to verify which factory is created for XMLInputFactory. If I'm not > wrong it does not matter the jvm configuration it will always > create Woodstoxs XMLInputFactory. The same is not true for > XMLOutputFactory and you can end up using jvm default XMLOutputFactory. > Would that be a problem? It shouldn't be, no. We can pretty much use any output factory without a problem. The main issue is with the Input factories. If woodstox isn't found for parsing, it opens up a few DOS attack vectors. Dan > > Ats, > Osvaldo Pina. > > > On Thu, Aug 29, 2013 at 11:43 AM, Osvaldo Pina <[email protected]>wrote: > >> >> Thanks Daniel! I was my fault. I have a scenario where I have to change >> the transport technology of a component solution from ejb to REST without >> changing the application classpath (with uses the manifesto classpath >> pointing to jars in the file system). In order to do that I created a >> separated classloader programmatically that loads cxf and all of its >> dependencies and I forgot to set this classloader as the context >> classloader. Now I tried this and I think that the problem is solved. >> >> >> Ats, >> Osvaldo Pina. >> >> >> >> >> On Wed, Aug 28, 2013 at 6:34 PM, Daniel Kulp <[email protected]> wrote: >> >>> >>> On Aug 28, 2013, at 5:26 PM, Osvaldo Pina <[email protected]> wrote: >>>> I'm having a trouble int StaxUtils static initializer with cxf 2.7.6 >>>> running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory >>>> (XMLOutputFactory xof = XMLOutputFactory.newInstance()) a >>>> NoClassDefFoundError is thrown. The reason is that the factory property >>>> (javax.xml.stream.XMLOutputFactory) is set >>>> to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable >>>> to javax.xml.stream.XMLOutputFactory classloader (the same applies to >>>> javax.xml.stream.XMLInputFactory). >>>> I'm thinking about changing the property to the IBM default value but I >>>> would like to know if it is safe. >>> >>> It's certainly not safe if your service accepts any sort of streaming >>> XML. You really need to use woodstox for that case. >>> >>> The question is why ISN'T it found in the class loader? It should be >>> using the context class loader which should be set properly in these >>> cases. Is there a full stack trace so we can see if there is a context >>> class loader or similar missing? >>> >>> That said, I just noticed the input factories are protected via a >>> try/catch that would trap this. The output factories are not. :-( >>> >>> >>> -- >>> Daniel Kulp >>> [email protected] - http://dankulp.com/blog >>> Talend Community Coder - http://coders.talend.com >>> >>> >> -- Daniel Kulp [email protected] - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com
