In JAXP 1.3, which is bundled with Java 1.5 and available as an option in earlier versions, you can limit all of these potential overflows by setting the SAX feature http://javax.xml.XMLConstants/feature/secure-processing (XMLConstants.FEATURE_SECURE_PROCESSING). Once you've set that feature, any excessively long constructs -- whether too many attributes in an element or too many characters in an element name -- will be treated as well-formedness errors. This means you may end up rejecting some genuinely well-formed documents; however, the default values are quite large and can handle most realistic documents.
In Jersey2.x, to check if disable this feature is here: org.glassfish.jersey.message.internal.AbstractXmlFactory boolean isXmlSecurityDisabled() { return PropertiesHelper.isProperty(config.getProperty(MessageProperties.XML_SECURITY_DISABLE)); } We can find that Jersey uses MessageProperties.XML_SECURITY_DISABLE parameter to check this setting.
So, we can set it separately: Server:
@ApplicationPath("/*")
public class XXXResourceConfig extends ResourceConfig {
public XXXResourceConfig() {
packages("xxx.yyy.zzz");
property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);
}
}
Client:
ClientConfig config = new ClientConfig();
...
config.property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);