0

In my client of a web service which developed by cxf like this, and is supposed to be a 2-way ssl implementation I get the following exception.

java.lang.RuntimeException: Cannot create a secure XMLInputFactory

Unless I set the following environment property with value 1.

org.apache.cxf.stax.allowInsecureParser

But I guess it means that the connection will be insecure. Am I right?

A.v
  • 734
  • 5
  • 26
  • Maybe you can add a bit more information about the environment you use. However maybe this helps: http://stackoverflow.com/questions/20114945/cxf-web-service-client-cannot-create-a-secure-xmlinputfactory – soilworker Feb 03 '15 at 11:59

2 Answers2

0

That exception has nothing to do with SSL.

If your service consumes XML content and is accessed by untrusted clients (for example, it is exposed to the Internet), it will be vulnerable to an XXE attack. To mitigate, you need to have Woodstox 4.2.0 or later on the classpath. See WSTX-285.

If your service doesn't accept XML content, you should be OK.

David J. Liszewski
  • 10,959
  • 6
  • 44
  • 57
0

I added these three lines and worked fine

Properties props = System.getProperties(); props.setProperty("org.apache.cxf.stax.allowInsecureParser", "1"); props.setProperty("UseSunHttpHandler", "true");

Luis Olortegui Melendez
  • 1
  • Please present code that is more than a tiny snippet as a code block. Can you shed some light on the implications of `System.getProperties().setProperty("org.apache.cxf.stax.allowInsecureParser", "1");`? (_insecure_?!) - Welcome to Stack Exchange! – greybeard Oct 29 '16 at 00:04
  • Just before invoking the web service – Luis Olortegui Melendez Nov 12 '16 at 06:25