如何配置org.apache.cxf.jaxrs.provider.JAXBElementProvider防止XXE攻击
How to configure org.apache.cxf.jaxrs.provider.JAXBElementProvider to prevent XXE attack
我将 CXF (JAX RS) 用于休息服务,并将默认的 JAXBElementProvider 用于 xml request/response marshaling/unmarshaling。
一切正常..但现在我想防止 XML 请求中的 XXE 攻击,默认情况下 JAXBElementProvider 不会这样做。如何在以下声明中配置 xxe 预防参数?
<bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
<jaxrs:server id="myendpoint" address="/">
<jaxrs:providers>
<ref bean="jaxbProvider"/>
<ref bean="jsonProvider"/>
</jaxrs:providers>
<jaxrs:extensionMappings>
<entry key="json" value="application/json"/>
<entry key="xml" value="application/xml"/>
</jaxrs:extensionMappings>
</jaxrs:server>
根据 CXF 安全公告 CVE-2010-2076, XXE attacks should be mitigated in CXF default configuration. This is assuming you are using the latest (or a fairly recent) version of CXF, and you did not set the org.apache.cxf.stax.allowInsecureParser system property as mentioned in XML security section of CXF doc。 Woodstox 解析器库必须在您的类路径中,才能被 CXF 作为默认的 XMLInputFactory 选择。
您还可以使用自定义 XMLInputFactory 来满足您的需要(例如,为了安全而禁用其他解析功能),如安全公告第 4.2 节所述,但在大多数情况下不需要这样做。例如,
<jaxrs:server id="myendpoint" address="/">
<jaxrs:properties>
<entry key="javax.xml.stream.XMLInputFactory">
<bean class="your.own.ParserFactory" factory-method="createFactory"/>
</entry>
</jaxrs:properties>
</jaxrs:server>
然后,在您自己的 your.own.ParserFactory#createFactory() 中,开始于:
XMLInputFactory factory = XMLInputFactory.newInstance();
并在工厂上设置你想要的属性,其中Woodstox XMLInputFactory支持的属性。
我将 CXF (JAX RS) 用于休息服务,并将默认的 JAXBElementProvider 用于 xml request/response marshaling/unmarshaling。 一切正常..但现在我想防止 XML 请求中的 XXE 攻击,默认情况下 JAXBElementProvider 不会这样做。如何在以下声明中配置 xxe 预防参数?
<bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">
<jaxrs:server id="myendpoint" address="/">
<jaxrs:providers>
<ref bean="jaxbProvider"/>
<ref bean="jsonProvider"/>
</jaxrs:providers>
<jaxrs:extensionMappings>
<entry key="json" value="application/json"/>
<entry key="xml" value="application/xml"/>
</jaxrs:extensionMappings>
</jaxrs:server>
根据 CXF 安全公告 CVE-2010-2076, XXE attacks should be mitigated in CXF default configuration. This is assuming you are using the latest (or a fairly recent) version of CXF, and you did not set the org.apache.cxf.stax.allowInsecureParser system property as mentioned in XML security section of CXF doc。 Woodstox 解析器库必须在您的类路径中,才能被 CXF 作为默认的 XMLInputFactory 选择。
您还可以使用自定义 XMLInputFactory 来满足您的需要(例如,为了安全而禁用其他解析功能),如安全公告第 4.2 节所述,但在大多数情况下不需要这样做。例如,
<jaxrs:server id="myendpoint" address="/">
<jaxrs:properties>
<entry key="javax.xml.stream.XMLInputFactory">
<bean class="your.own.ParserFactory" factory-method="createFactory"/>
</entry>
</jaxrs:properties>
</jaxrs:server>
然后,在您自己的 your.own.ParserFactory#createFactory() 中,开始于:
XMLInputFactory factory = XMLInputFactory.newInstance();
并在工厂上设置你想要的属性,其中Woodstox XMLInputFactory支持的属性。