WARNING: JAXP feature XMLConstants.FEATURE_SECURE_PROCESSING on Jersey2.x Client

Question

Sep 22, 2013 5:15:00 PM org.glassfish.jersey.message.internal.SecureSaxParserFactory

WARNING: JAXP feature XMLConstants.FEATURE_SECURE_PROCESSING cannot be set on a SAXParserFactory. External general entity processing is disabled but other potential security related features will not be enabled.
org.xml.sax.SAXNotRecognizedException: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
    at org.apache.xerces.parsers.AbstractSAXParser.setFeature(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserImpl.setFeatures(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserImpl.<init>(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserFactoryImpl.newSAXParserImpl(Unknown Source)
    at org.apache.xerces.jaxp.SAXParserFactoryImpl.setFeature(Unknown Source)
    at org.glassfish.jersey.message.internal.SecureSaxParserFactory.<init>(SecureSaxParserFactory.java:107)...

I can use config.getFeatures().put(FeaturesAndProperties.FEATURE_DISABLE_XML_SECURITY, true);

to avoid this warning message on Jersey1.x, but when I migrated to Jersey2.x, there's no this feature setting. How could I do to avoid it again on Jersey2.x? Thanks!

Answer 1

In JAXP 1.3, which is bundled with Java 1.5 and available as an option in earlier versions, you can limit all of these potential overflows by setting the SAX feature http://javax.xml.XMLConstants/feature/secure-processing (XMLConstants.FEATURE_SECURE_PROCESSING). Once you've set that feature, any excessively long constructs -- whether too many attributes in an element or too many characters in an element name -- will be treated as well-formedness errors. This means you may end up rejecting some genuinely well-formed documents; however, the default values are quite large and can handle most realistic documents.

In Jersey2.x, to check if disable this feature is here: org.glassfish.jersey.message.internal.AbstractXmlFactory boolean isXmlSecurityDisabled() { return PropertiesHelper.isProperty(config.getProperty(MessageProperties.XML_SECURITY_DISABLE)); } We can find that Jersey uses MessageProperties.XML_SECURITY_DISABLE parameter to check this setting.

So, we can set it separately: Server:

@ApplicationPath("/*")
public class XXXResourceConfig extends ResourceConfig {
    public XXXResourceConfig() {
        packages("xxx.yyy.zzz");
        property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);
    }
}

Client:

ClientConfig config = new ClientConfig();
...
config.property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);

Answer 2

feuyeux's code is working fine. Thanks.

JAX-RS client code:

Client client = ClientBuilder.newClient();
client.property(MessageProperties.XML_SECURITY_DISABLE, Boolean.TRUE);
client.target("http://localhost:7101/helloword/rest").path("dummy").request(MediaType.APPLICATION_JSON).get(String.class);

Answer 3

I am sure the above answer is really good in this case. But for completeness I add what I found out when investigating this. According to this post an old version of xerces may cause the problem. It can be implicitly added by other dependencies and needs to be excluded in those cases.