Jaxrs StaxUtils problems

[Osvaldo Pina <os...@gmail.com>]

   Hi,

   I'm having a trouble int StaxUtils static initializer  with cxf 2.7.6
running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory
(XMLOutputFactory xof = XMLOutputFactory.newInstance()) a
NoClassDefFoundError is thrown. The reason is that the factory property
(javax.xml.stream.XMLOutputFactory) is set
to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable
to javax.xml.stream.XMLOutputFactory classloader (the same applies to
javax.xml.stream.XMLInputFactory).
  I'm thinking about changing the property to the IBM default value but I
would like to know if it is safe.


  Ats,
  Osvaldo Pina.

Re: Jaxrs StaxUtils problems

[Daniel Kulp <dk...@apache.org>]

On Aug 29, 2013, at 4:16 PM, Osvaldo Pina <os...@gmail.com> wrote:

>     Daniel,
> 
>     I was taking a look at StaxUtils class and I saw that there is some
> code to verify which factory is created for XMLInputFactory. If I'm not
> wrong it does not matter the jvm configuration it will always
> create  Woodstoxs XMLInputFactory. The same is not true for
> XMLOutputFactory and you can end up using jvm default XMLOutputFactory.
> Would that be a problem?

It shouldn't be, no.   We can pretty much use any output factory without a problem.  The main issue is with the Input factories.  If woodstox isn't found for parsing, it opens up a few DOS attack vectors. 

Dan


> 
>    Ats,
>    Osvaldo Pina.
> 
> 
> On Thu, Aug 29, 2013 at 11:43 AM, Osvaldo Pina <os...@gmail.com>wrote:
> 
>> 
>> Thanks Daniel! I was my fault. I have a scenario where I have to change
>> the transport technology of a component solution from ejb to REST without
>> changing the application classpath (with uses the manifesto classpath
>> pointing to jars in the file system). In order to do that I created a
>> separated classloader programmatically that loads cxf and all of its
>> dependencies and I forgot to set this classloader as the context
>> classloader. Now I tried this and I think that the problem is solved.
>> 
>> 
>>    Ats,
>>    Osvaldo Pina.
>> 
>> 
>> 
>> 
>> On Wed, Aug 28, 2013 at 6:34 PM, Daniel Kulp <dk...@apache.org> wrote:
>> 
>>> 
>>> On Aug 28, 2013, at 5:26 PM, Osvaldo Pina <os...@gmail.com> wrote:
>>>>  I'm having a trouble int StaxUtils static initializer  with cxf 2.7.6
>>>> running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory
>>>> (XMLOutputFactory xof = XMLOutputFactory.newInstance()) a
>>>> NoClassDefFoundError is thrown. The reason is that the factory property
>>>> (javax.xml.stream.XMLOutputFactory) is set
>>>> to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable
>>>> to javax.xml.stream.XMLOutputFactory classloader (the same applies to
>>>> javax.xml.stream.XMLInputFactory).
>>>> I'm thinking about changing the property to the IBM default value but I
>>>> would like to know if it is safe.
>>> 
>>> It's certainly not safe if your service accepts any sort of streaming
>>> XML.   You really need to use woodstox for that case.
>>> 
>>> The question is why ISN'T it found in the class loader?  It should be
>>> using the context class loader which should be set properly in these
>>> cases.  Is there a full stack trace so we can see if there is a context
>>> class loader or similar missing?
>>> 
>>> That said, I just noticed the input factories are protected via a
>>> try/catch that would trap this.   The output factories are not.  :-(
>>> 
>>> 
>>> --
>>> Daniel Kulp
>>> dkulp@apache.org - http://dankulp.com/blog
>>> Talend Community Coder - http://coders.talend.com
>>> 
>>> 
>> 

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com

Re: Jaxrs StaxUtils problems

[Osvaldo Pina <os...@gmail.com>]

     Daniel,

     I was taking a look at StaxUtils class and I saw that there is some
code to verify which factory is created for XMLInputFactory. If I'm not
wrong it does not matter the jvm configuration it will always
create  Woodstoxs XMLInputFactory. The same is not true for
XMLOutputFactory and you can end up using jvm default XMLOutputFactory.
Would that be a problem?

    Ats,
    Osvaldo Pina.


On Thu, Aug 29, 2013 at 11:43 AM, Osvaldo Pina <os...@gmail.com>wrote:

>
> Thanks Daniel! I was my fault. I have a scenario where I have to change
> the transport technology of a component solution from ejb to REST without
> changing the application classpath (with uses the manifesto classpath
> pointing to jars in the file system). In order to do that I created a
> separated classloader programmatically that loads cxf and all of its
> dependencies and I forgot to set this classloader as the context
> classloader. Now I tried this and I think that the problem is solved.
>
>
>     Ats,
>     Osvaldo Pina.
>
>
>
>
> On Wed, Aug 28, 2013 at 6:34 PM, Daniel Kulp <dk...@apache.org> wrote:
>
>>
>> On Aug 28, 2013, at 5:26 PM, Osvaldo Pina <os...@gmail.com> wrote:
>> >   I'm having a trouble int StaxUtils static initializer  with cxf 2.7.6
>> > running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory
>> > (XMLOutputFactory xof = XMLOutputFactory.newInstance()) a
>> > NoClassDefFoundError is thrown. The reason is that the factory property
>> > (javax.xml.stream.XMLOutputFactory) is set
>> > to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable
>> > to javax.xml.stream.XMLOutputFactory classloader (the same applies to
>> > javax.xml.stream.XMLInputFactory).
>> >  I'm thinking about changing the property to the IBM default value but I
>> > would like to know if it is safe.
>>
>> It's certainly not safe if your service accepts any sort of streaming
>> XML.   You really need to use woodstox for that case.
>>
>> The question is why ISN'T it found in the class loader?  It should be
>> using the context class loader which should be set properly in these
>>  cases.  Is there a full stack trace so we can see if there is a context
>> class loader or similar missing?
>>
>> That said, I just noticed the input factories are protected via a
>> try/catch that would trap this.   The output factories are not.  :-(
>>
>>
>> --
>> Daniel Kulp
>> dkulp@apache.org - http://dankulp.com/blog
>> Talend Community Coder - http://coders.talend.com
>>
>>
>

Re: Jaxrs StaxUtils problems

[Osvaldo Pina <os...@gmail.com>]

Thanks Daniel! I was my fault. I have a scenario where I have to change the
transport technology of a component solution from ejb to REST without
changing the application classpath (with uses the manifesto classpath
pointing to jars in the file system). In order to do that I created a
separated classloader programmatically that loads cxf and all of its
dependencies and I forgot to set this classloader as the context
classloader. Now I tried this and I think that the problem is solved.


    Ats,
    Osvaldo Pina.




On Wed, Aug 28, 2013 at 6:34 PM, Daniel Kulp <dk...@apache.org> wrote:

>
> On Aug 28, 2013, at 5:26 PM, Osvaldo Pina <os...@gmail.com> wrote:
> >   I'm having a trouble int StaxUtils static initializer  with cxf 2.7.6
> > running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory
> > (XMLOutputFactory xof = XMLOutputFactory.newInstance()) a
> > NoClassDefFoundError is thrown. The reason is that the factory property
> > (javax.xml.stream.XMLOutputFactory) is set
> > to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable
> > to javax.xml.stream.XMLOutputFactory classloader (the same applies to
> > javax.xml.stream.XMLInputFactory).
> >  I'm thinking about changing the property to the IBM default value but I
> > would like to know if it is safe.
>
> It's certainly not safe if your service accepts any sort of streaming XML.
>   You really need to use woodstox for that case.
>
> The question is why ISN'T it found in the class loader?  It should be
> using the context class loader which should be set properly in these
>  cases.  Is there a full stack trace so we can see if there is a context
> class loader or similar missing?
>
> That said, I just noticed the input factories are protected via a
> try/catch that would trap this.   The output factories are not.  :-(
>
>
> --
> Daniel Kulp
> dkulp@apache.org - http://dankulp.com/blog
> Talend Community Coder - http://coders.talend.com
>
>

Re: Jaxrs StaxUtils problems

[Christian Schneider <ch...@die-schneider.net>]

Hi Dan,

we were also experiencing a problem with StaxUtils in 2.7.7-SNAPSHOT in 
OSGi. In our case the StaxUtils class was not found from WsdlManagerImpl 
I think.

So I think at least in our case the problem is that the wrong 
classloader is used to load extensions. I think the classloader of the 
bundle implementing the extension should be used. I think I saw this 
problem on CXF 3 SNAPSHOT some time before.

Not sure if this is the same problem that Osvaldo reported.

Christian

On 28.08.2013 23:34, Daniel Kulp wrote:
> On Aug 28, 2013, at 5:26 PM, Osvaldo Pina <os...@gmail.com> wrote:
>>    I'm having a trouble int StaxUtils static initializer  with cxf 2.7.6
>> running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory
>> (XMLOutputFactory xof = XMLOutputFactory.newInstance()) a
>> NoClassDefFoundError is thrown. The reason is that the factory property
>> (javax.xml.stream.XMLOutputFactory) is set
>> to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable
>> to javax.xml.stream.XMLOutputFactory classloader (the same applies to
>> javax.xml.stream.XMLInputFactory).
>>   I'm thinking about changing the property to the IBM default value but I
>> would like to know if it is safe.
> It's certainly not safe if your service accepts any sort of streaming XML.   You really need to use woodstox for that case.
>
> The question is why ISN'T it found in the class loader?  It should be using the context class loader which should be set properly in these  cases.  Is there a full stack trace so we can see if there is a context class loader or similar missing?
>
> That said, I just noticed the input factories are protected via a try/catch that would trap this.   The output factories are not.  :-(
>
>


-- 
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com

Re: Jaxrs StaxUtils problems

[Daniel Kulp <dk...@apache.org>]

On Aug 28, 2013, at 5:26 PM, Osvaldo Pina <os...@gmail.com> wrote:
>   I'm having a trouble int StaxUtils static initializer  with cxf 2.7.6
> running in the IBM jkd 1.6. When it tries to create the XMLOutputFactory
> (XMLOutputFactory xof = XMLOutputFactory.newInstance()) a
> NoClassDefFoundError is thrown. The reason is that the factory property
> (javax.xml.stream.XMLOutputFactory) is set
> to com.ctc.wstx.stax.WstxOutputFactory and this class is not avaliable
> to javax.xml.stream.XMLOutputFactory classloader (the same applies to
> javax.xml.stream.XMLInputFactory).
>  I'm thinking about changing the property to the IBM default value but I
> would like to know if it is safe.

It's certainly not safe if your service accepts any sort of streaming XML.   You really need to use woodstox for that case.

The question is why ISN'T it found in the class loader?  It should be using the context class loader which should be set properly in these  cases.  Is there a full stack trace so we can see if there is a context class loader or similar missing?

That said, I just noticed the input factories are protected via a try/catch that would trap this.   The output factories are not.  :-(


-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com