WebLogic XML External Entity Resolution: Is there another way besides using the XML Registry?

Question

We have an application that uses SiteMesh, and when WebLogic tries to parse the TLD files, it sees the DOCTYPE specification, containing the reference to the TLD DTD, at "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd".

The server can not initiate outbound connections to the Internet, and so cannot retrieve the DTD, which causes the deployment of the application to fail.

I understand that this problem can be solved by setting up an XML Registry in the WebLogic console, and specifying a local file to return when trying to resolve, for instance "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd".

Is there any other way to prevent the server from going out to the 'net to resolve the external entity reference? By packaging the DTD with the application and somehow informing the server to look for that DTD in there rather than "out there"?

Answer 1

Quick question are you trying to do this for security reasons? like to prevent any sort of XXE attack?

If so you could implement your own EntityResolver and handle how the parser does any lookup local or remote.

Examples can be found here https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61702260

otherwise you need to set the config properties of the XMLInputFactory to get the behavior you want. particularly javax.xml.stream.isSupportingExternalEntities and javax.xml.stream.isValidating just depends if you think you need validation.

http://docs.oracle.com/javaee/5/api/javax/xml/stream/XMLInputFactory.html

Also look into the StaX parser if it makes sense for your use.