Prevent XXE (External Entity Processing) Attack with JAXB + Spring RESTful Web Services

Question

I know that we can prevent the XXE attack by setting the property IS_SUPPORTING_EXTERNAL_ENTITIES in the abstract class XMLInputFactory to false in JAXB.

I have also seen this stackoverflow answer.

My question here is,

How do I create a instance of XMLInputFactory and set this IS_SUPPORTING_EXTERNAL_ENTITIES property to false when the spring application loads up. And that particular XMLInputFactory instance should only be used for all the JAXB conversion for all the classes that uses javax.xml.bind.annotation package.

Nishanth · Accepted Answer · 2022-05-05T22:32:25.860

Spring uses RequestMappingHandlerAdapter which is an AbstractHandlerMethodAdapter that supports HandlerMethods with the signature -- method argument and return types, defined in @RequestMapping.

There are 7 seven HttpMessageConverters and one of them is Jaxb2RootElementHttpMessageConverter

Jaxb2RootElementHttpMessageConverter is from the spring-web package.

From 3.2.8 version of spring-web onwards Jaxb2RootElementHttpMessageConverter sets the processExternalEntities to false which in turn sets the XMLInputFactory property IS_SUPPORTING_EXTERNAL_ENTITIES to false.

Refer : Jaxb2RootElementHttpMessageConverter from Spring

Answer use

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-web</artifactId>
    <version>3.2.8.RELEASE</version>
</dependency>

your page is not opening, this is showing "This page isn’t working". is It removed ? — Hitesh, Nov 05 '19 at 12:58
updated the Jaxb2RootElementHttpMessageConverter Spring class (hyperlink) — Nishanth, May 05 '22 at 22:33

Prevent XXE (External Entity Processing) Attack with JAXB + Spring RESTful Web Services

1 Answers1

Linked