You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Oleg Tikhonov <ol...@gmail.com> on 2013/07/23 08:55:32 UTC
java.lang.RuntimeException: Cannot create a secure XMLInputFactory
Hi,
During deploying application I got this exception.
Having googled I found
"CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
DOS attack mentioned here
https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc and
Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
implantation from JDK that is the reason for get this issue.
It is possible to use "org.apache.cxf.stax.allowInsecureParser = true" to
get rid of this issue but it just a workaround only not a solution.
"
Here is a code that creates a Server
<code>
private Server getInstanceExternalControl() {
LOG.debug(" ----- getInstanceExternalControl() ----- ");
int incrementedPort = callbackPort + 1;
JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
factory.setBindingId(Constants.WSDL_SOAP12);
factory.setAddress(Constants.HTTP + callbackBBIPAdrress + ":" +
incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
factory.setServiceClass(IExternalControl.class);
factory.setServiceBean(externalControlHandler);
factory.getFeatures().add(new WSAddressingFeature());
return factory.create();
}
</code>
I did not try afore mentioned workaround.
BTW,
Java version is 6.
AppServer is JBoss 7.1.2
OS: Linux x64 Ubuntu.
Any suggestions/thoughts will be greatly appreciated.
Thanks in advance,
Oleg
Re: java.lang.RuntimeException: Cannot create a secure XMLInputFactory
Posted by Oleg Tikhonov <ol...@gmail.com>.
Seems to be working.
The problem was with my code:
properties.put("org.apache.cxf.stax.allowInsecureParser", new
Boolean(true));
However in the StaxUtils, the checking was on String "1", i.e.
allowInsecureParser = "1".equals(s) || Boolean.parseBoolean(s);
For those who are interested in the workaround:
In init method of app:
<code>
Properties properties = System.getProperties();
properties.put("org.apache.cxf.stax.allowInsecureParser", "1");
System.setProperties(properties);
</code>
The rest remains unchanged.
Thank you Sergei.
On Tue, Jul 23, 2013 at 1:43 PM, Oleg Tikhonov <ol...@gmail.com>wrote:
> Okey,
>
> I will check it.
>
> Thanks.
>
>
> On Tue, Jul 23, 2013 at 1:33 PM, Sergey Beryozkin <sb...@gmail.com>wrote:
>
>> Hi,
>> StaxUtils only supports it as a system property at the moment,
>>
>> Cheers, Sergey
>>
>> On 23/07/13 11:25, Oleg Tikhonov wrote:
>>
>>> Hi Sergei,
>>> in my case it's an HTTP.
>>>
>>> I could not set properly the properties.
>>> Mime look like:
>>> <code>
>>> properties.put("com.ctc.wstx.**maxAttributesPerElement", new
>>> Integer(500));
>>> properties.put("com.ctc.wstx.**maxAttributeSize", new
>>> Integer(64 *
>>> 1024));
>>> properties.put("com.ctc.wstx.**maxChildrenPerElement", new
>>> Integer(50000));
>>> properties.put("com.ctc.wstx.**maxElementCount", new
>>> Long(Long.MAX_VALUE));
>>> properties.put("com.ctc.wstx.**maxElementDepth", new
>>> Integer(100));
>>> properties.put("com.ctc.wstx.**maxCharacters", new
>>> Long(Long.MAX_VALUE));
>>> properties.put("com.ctc.wstx.**maxTextLength", new Long(128 *
>>> 1024 *
>>> 1024));
>>> properties.put("org.apache.**cxf.stax.allowInsecureParser", new
>>> Boolean(true));
>>> </code>
>>>
>>> and in the previous code:
>>>
>>> <code>
>>> factory.setProperties(**properties);
>>> </code>
>>>
>>> However when it comes to the StaxUtils the properites are null. Am trying
>>> to figure out how to set "org.apache.cxf.stax.**allowInsecureParser"
>>> true.
>>>
>>>
>>> BR,
>>> Oleg
>>>
>>>
>>>
>>> On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <sberyozkin@gmail.com
>>> >wrote:
>>>
>>> Hi Oleg
>>>>
>>>> If you use HTTPS, and especially a 2 way TLS, then it will help, though
>>>> even in these cases a secure parser can help a lot with controlling the
>>>> large payloads.
>>>> Cheers, Sergey
>>>>
>>>> On 23/07/13 07:55, Oleg Tikhonov wrote:
>>>>
>>>> Hi,
>>>>> During deploying application I got this exception.
>>>>>
>>>>> Having googled I found
>>>>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent
>>>>> the
>>>>> DOS attack mentioned here
>>>>> https://cxf.apache.org/****security-advisories.data/CVE-***
>>>>> *2013-2160.txt.asc<https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc>
>>>>> <https://**cxf.apache.org/security-**advisories.data/CVE-2013-2160.**
>>>>> txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>
>>>>> >and
>>>>>
>>>>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
>>>>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
>>>>> implantation from JDK that is the reason for get this issue.
>>>>>
>>>>> It is possible to use "org.apache.cxf.stax.****allowInsecureParser =
>>>>> true"
>>>>>
>>>>> to
>>>>> get rid of this issue but it just a workaround only not a solution.
>>>>> "
>>>>>
>>>>> Here is a code that creates a Server
>>>>> <code>
>>>>> private Server getInstanceExternalControl() {
>>>>> LOG.debug(" ----- getInstanceExternalControl() ----- ");
>>>>> int incrementedPort = callbackPort + 1;
>>>>> JaxWsServerFactoryBean factory = new
>>>>> JaxWsServerFactoryBean();
>>>>> factory.setBindingId(****Constants.WSDL_SOAP12);
>>>>> factory.setAddress(Constants.****HTTP + callbackBBIPAdrress
>>>>> + ":"
>>>>>
>>>>> +
>>>>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
>>>>> factory.setServiceClass(****IExternalControl.class);
>>>>> factory.setServiceBean(****externalControlHandler);
>>>>>
>>>>> factory.getFeatures().add(new WSAddressingFeature());
>>>>>
>>>>> return factory.create();
>>>>> }
>>>>> </code>
>>>>>
>>>>> I did not try afore mentioned workaround.
>>>>>
>>>>> BTW,
>>>>> Java version is 6.
>>>>> AppServer is JBoss 7.1.2
>>>>> OS: Linux x64 Ubuntu.
>>>>>
>>>>> Any suggestions/thoughts will be greatly appreciated.
>>>>>
>>>>> Thanks in advance,
>>>>> Oleg
>>>>>
>>>>>
>>>>>
>>>> --
>>>> Sergey Beryozkin
>>>>
>>>> Talend Community Coders
>>>> http://coders.talend.com/
>>>>
>>>> Blog: http://sberyozkin.blogspot.com
>>>>
>>>>
>>>
>>
>
Re: java.lang.RuntimeException: Cannot create a secure XMLInputFactory
Posted by Oleg Tikhonov <ol...@gmail.com>.
Okey,
I will check it.
Thanks.
On Tue, Jul 23, 2013 at 1:33 PM, Sergey Beryozkin <sb...@gmail.com>wrote:
> Hi,
> StaxUtils only supports it as a system property at the moment,
>
> Cheers, Sergey
>
> On 23/07/13 11:25, Oleg Tikhonov wrote:
>
>> Hi Sergei,
>> in my case it's an HTTP.
>>
>> I could not set properly the properties.
>> Mime look like:
>> <code>
>> properties.put("com.ctc.wstx.**maxAttributesPerElement", new
>> Integer(500));
>> properties.put("com.ctc.wstx.**maxAttributeSize", new
>> Integer(64 *
>> 1024));
>> properties.put("com.ctc.wstx.**maxChildrenPerElement", new
>> Integer(50000));
>> properties.put("com.ctc.wstx.**maxElementCount", new
>> Long(Long.MAX_VALUE));
>> properties.put("com.ctc.wstx.**maxElementDepth", new
>> Integer(100));
>> properties.put("com.ctc.wstx.**maxCharacters", new
>> Long(Long.MAX_VALUE));
>> properties.put("com.ctc.wstx.**maxTextLength", new Long(128 *
>> 1024 *
>> 1024));
>> properties.put("org.apache.**cxf.stax.allowInsecureParser", new
>> Boolean(true));
>> </code>
>>
>> and in the previous code:
>>
>> <code>
>> factory.setProperties(**properties);
>> </code>
>>
>> However when it comes to the StaxUtils the properites are null. Am trying
>> to figure out how to set "org.apache.cxf.stax.**allowInsecureParser"
>> true.
>>
>>
>> BR,
>> Oleg
>>
>>
>>
>> On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <sberyozkin@gmail.com
>> >wrote:
>>
>> Hi Oleg
>>>
>>> If you use HTTPS, and especially a 2 way TLS, then it will help, though
>>> even in these cases a secure parser can help a lot with controlling the
>>> large payloads.
>>> Cheers, Sergey
>>>
>>> On 23/07/13 07:55, Oleg Tikhonov wrote:
>>>
>>> Hi,
>>>> During deploying application I got this exception.
>>>>
>>>> Having googled I found
>>>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent
>>>> the
>>>> DOS attack mentioned here
>>>> https://cxf.apache.org/****security-advisories.data/CVE-***
>>>> *2013-2160.txt.asc<https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc>
>>>> <https://**cxf.apache.org/security-**advisories.data/CVE-2013-2160.**
>>>> txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>
>>>> >and
>>>>
>>>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
>>>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
>>>> implantation from JDK that is the reason for get this issue.
>>>>
>>>> It is possible to use "org.apache.cxf.stax.****allowInsecureParser =
>>>> true"
>>>>
>>>> to
>>>> get rid of this issue but it just a workaround only not a solution.
>>>> "
>>>>
>>>> Here is a code that creates a Server
>>>> <code>
>>>> private Server getInstanceExternalControl() {
>>>> LOG.debug(" ----- getInstanceExternalControl() ----- ");
>>>> int incrementedPort = callbackPort + 1;
>>>> JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
>>>> factory.setBindingId(****Constants.WSDL_SOAP12);
>>>> factory.setAddress(Constants.****HTTP + callbackBBIPAdrress
>>>> + ":"
>>>>
>>>> +
>>>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
>>>> factory.setServiceClass(****IExternalControl.class);
>>>> factory.setServiceBean(****externalControlHandler);
>>>>
>>>> factory.getFeatures().add(new WSAddressingFeature());
>>>>
>>>> return factory.create();
>>>> }
>>>> </code>
>>>>
>>>> I did not try afore mentioned workaround.
>>>>
>>>> BTW,
>>>> Java version is 6.
>>>> AppServer is JBoss 7.1.2
>>>> OS: Linux x64 Ubuntu.
>>>>
>>>> Any suggestions/thoughts will be greatly appreciated.
>>>>
>>>> Thanks in advance,
>>>> Oleg
>>>>
>>>>
>>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>> Blog: http://sberyozkin.blogspot.com
>>>
>>>
>>
>
Re: java.lang.RuntimeException: Cannot create a secure XMLInputFactory
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi,
StaxUtils only supports it as a system property at the moment,
Cheers, Sergey
On 23/07/13 11:25, Oleg Tikhonov wrote:
> Hi Sergei,
> in my case it's an HTTP.
>
> I could not set properly the properties.
> Mime look like:
> <code>
> properties.put("com.ctc.wstx.maxAttributesPerElement", new
> Integer(500));
> properties.put("com.ctc.wstx.maxAttributeSize", new Integer(64 *
> 1024));
> properties.put("com.ctc.wstx.maxChildrenPerElement", new
> Integer(50000));
> properties.put("com.ctc.wstx.maxElementCount", new
> Long(Long.MAX_VALUE));
> properties.put("com.ctc.wstx.maxElementDepth", new Integer(100));
> properties.put("com.ctc.wstx.maxCharacters", new
> Long(Long.MAX_VALUE));
> properties.put("com.ctc.wstx.maxTextLength", new Long(128 * 1024 *
> 1024));
> properties.put("org.apache.cxf.stax.allowInsecureParser", new
> Boolean(true));
> </code>
>
> and in the previous code:
>
> <code>
> factory.setProperties(properties);
> </code>
>
> However when it comes to the StaxUtils the properites are null. Am trying
> to figure out how to set "org.apache.cxf.stax.allowInsecureParser" true.
>
>
> BR,
> Oleg
>
>
>
> On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <sb...@gmail.com>wrote:
>
>> Hi Oleg
>>
>> If you use HTTPS, and especially a 2 way TLS, then it will help, though
>> even in these cases a secure parser can help a lot with controlling the
>> large payloads.
>> Cheers, Sergey
>>
>> On 23/07/13 07:55, Oleg Tikhonov wrote:
>>
>>> Hi,
>>> During deploying application I got this exception.
>>>
>>> Having googled I found
>>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
>>> DOS attack mentioned here
>>> https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>and
>>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
>>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
>>> implantation from JDK that is the reason for get this issue.
>>>
>>> It is possible to use "org.apache.cxf.stax.**allowInsecureParser = true"
>>> to
>>> get rid of this issue but it just a workaround only not a solution.
>>> "
>>>
>>> Here is a code that creates a Server
>>> <code>
>>> private Server getInstanceExternalControl() {
>>> LOG.debug(" ----- getInstanceExternalControl() ----- ");
>>> int incrementedPort = callbackPort + 1;
>>> JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
>>> factory.setBindingId(**Constants.WSDL_SOAP12);
>>> factory.setAddress(Constants.**HTTP + callbackBBIPAdrress + ":"
>>> +
>>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
>>> factory.setServiceClass(**IExternalControl.class);
>>> factory.setServiceBean(**externalControlHandler);
>>> factory.getFeatures().add(new WSAddressingFeature());
>>>
>>> return factory.create();
>>> }
>>> </code>
>>>
>>> I did not try afore mentioned workaround.
>>>
>>> BTW,
>>> Java version is 6.
>>> AppServer is JBoss 7.1.2
>>> OS: Linux x64 Ubuntu.
>>>
>>> Any suggestions/thoughts will be greatly appreciated.
>>>
>>> Thanks in advance,
>>> Oleg
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>
Re: java.lang.RuntimeException: Cannot create a secure XMLInputFactory
Posted by Oleg Tikhonov <ol...@gmail.com>.
Hi Sergei,
in my case it's an HTTP.
I could not set properly the properties.
Mime look like:
<code>
properties.put("com.ctc.wstx.maxAttributesPerElement", new
Integer(500));
properties.put("com.ctc.wstx.maxAttributeSize", new Integer(64 *
1024));
properties.put("com.ctc.wstx.maxChildrenPerElement", new
Integer(50000));
properties.put("com.ctc.wstx.maxElementCount", new
Long(Long.MAX_VALUE));
properties.put("com.ctc.wstx.maxElementDepth", new Integer(100));
properties.put("com.ctc.wstx.maxCharacters", new
Long(Long.MAX_VALUE));
properties.put("com.ctc.wstx.maxTextLength", new Long(128 * 1024 *
1024));
properties.put("org.apache.cxf.stax.allowInsecureParser", new
Boolean(true));
</code>
and in the previous code:
<code>
factory.setProperties(properties);
</code>
However when it comes to the StaxUtils the properites are null. Am trying
to figure out how to set "org.apache.cxf.stax.allowInsecureParser" true.
BR,
Oleg
On Tue, Jul 23, 2013 at 1:05 PM, Sergey Beryozkin <sb...@gmail.com>wrote:
> Hi Oleg
>
> If you use HTTPS, and especially a 2 way TLS, then it will help, though
> even in these cases a secure parser can help a lot with controlling the
> large payloads.
> Cheers, Sergey
>
> On 23/07/13 07:55, Oleg Tikhonov wrote:
>
>> Hi,
>> During deploying application I got this exception.
>>
>> Having googled I found
>> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
>> DOS attack mentioned here
>> https://cxf.apache.org/**security-advisories.data/CVE-**2013-2160.txt.asc<https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc>and
>> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
>> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
>> implantation from JDK that is the reason for get this issue.
>>
>> It is possible to use "org.apache.cxf.stax.**allowInsecureParser = true"
>> to
>> get rid of this issue but it just a workaround only not a solution.
>> "
>>
>> Here is a code that creates a Server
>> <code>
>> private Server getInstanceExternalControl() {
>> LOG.debug(" ----- getInstanceExternalControl() ----- ");
>> int incrementedPort = callbackPort + 1;
>> JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
>> factory.setBindingId(**Constants.WSDL_SOAP12);
>> factory.setAddress(Constants.**HTTP + callbackBBIPAdrress + ":"
>> +
>> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
>> factory.setServiceClass(**IExternalControl.class);
>> factory.setServiceBean(**externalControlHandler);
>> factory.getFeatures().add(new WSAddressingFeature());
>>
>> return factory.create();
>> }
>> </code>
>>
>> I did not try afore mentioned workaround.
>>
>> BTW,
>> Java version is 6.
>> AppServer is JBoss 7.1.2
>> OS: Linux x64 Ubuntu.
>>
>> Any suggestions/thoughts will be greatly appreciated.
>>
>> Thanks in advance,
>> Oleg
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
Re: java.lang.RuntimeException: Cannot create a secure XMLInputFactory
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Oleg
If you use HTTPS, and especially a 2 way TLS, then it will help, though
even in these cases a secure parser can help a lot with controlling the
large payloads.
Cheers, Sergey
On 23/07/13 07:55, Oleg Tikhonov wrote:
> Hi,
> During deploying application I got this exception.
>
> Having googled I found
> "CXF 2.7.4 added a new check when creating XMLInputFactory to prevent the
> DOS attack mentioned here
> https://cxf.apache.org/security-advisories.data/CVE-2013-2160.txt.asc and
> Woodstock 4.2.0 version support for these properties. AS 5.10 endorsed
> geronimo-stax-api_1.0_spec and which result into load XMLInputFactory
> implantation from JDK that is the reason for get this issue.
>
> It is possible to use "org.apache.cxf.stax.allowInsecureParser = true" to
> get rid of this issue but it just a workaround only not a solution.
> "
>
> Here is a code that creates a Server
> <code>
> private Server getInstanceExternalControl() {
> LOG.debug(" ----- getInstanceExternalControl() ----- ");
> int incrementedPort = callbackPort + 1;
> JaxWsServerFactoryBean factory = new JaxWsServerFactoryBean();
> factory.setBindingId(Constants.WSDL_SOAP12);
> factory.setAddress(Constants.HTTP + callbackBBIPAdrress + ":" +
> incrementedPort + "/" + WS_EXTERNAL_CALLBACK.toStr());
> factory.setServiceClass(IExternalControl.class);
> factory.setServiceBean(externalControlHandler);
> factory.getFeatures().add(new WSAddressingFeature());
>
> return factory.create();
> }
> </code>
>
> I did not try afore mentioned workaround.
>
> BTW,
> Java version is 6.
> AppServer is JBoss 7.1.2
> OS: Linux x64 Ubuntu.
>
> Any suggestions/thoughts will be greatly appreciated.
>
> Thanks in advance,
> Oleg
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com