2 Replies Latest reply on Oct 21, 2013 10:53 AM by darrenjones

resteasy.document.expand.entity.references=false gives javax.xml.bind.UnmarshalException: unexpected element for POSTs

darrenjones Oct 21, 2013 4:38 AM

I am using WildFly 8.0.0.Beta (which includes RestEasy 3.0.4). I am getting an exception (below) for every POST request to JAX-RS web services. I've done some digging, and found out that the exception occurs if in web.xml, I set resteasy.document.expand.entity.references to false (the recommended value to protect against XXE attacks). The POSTs all work fine if I set that to true (but obviously the WS is then vulnerable).

The (shortened) exception log message is:

09:16:10,504 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-7) Failed executing POST /services/1.0/tasks/subset/summary: org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException: javax.xml.bind.UnmarshalException: unexpected element (uri:"", local:"taskFilterSequence"). Expected elements are <{http://workflow.services.ewb.idbs.com}activeWorkflows>, ...

In JAXBXmlTypeProvider, the code does this if ...expand.entity.references is false (this is around line 91)

if (suppressExpandEntityExpansion())

{

unmarshaller = new ExternalEntityUnmarshaller(unmarshaller);

}

The ExternalEntityUnmarshaller.unmarshal method appears to create an XMLReader that is not namespace aware, i.e. no call to SAXParserFactory.setNamespaceAware(true).

The default JAXB marshaller that is used when ...expand.entity.references is true, IS namespace aware.

So, it would seem that the ExternalEntityUnmarshaller may need to also setNamespaceAware(true)? Is there a reason why it is not namespace aware? I don't know of the implications of this, so just asking for now. I don't want to have to set that expand.entity.references to true because of the vulnerability consequences.

The full exception is:

09:16:10,504 WARN [org.jboss.resteasy.core.ExceptionHandler] (default task-10) Failed executing POST /services/1.0/tasks/subset/summary: org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException: javax.xml.bind.UnmarshalException: unexpected element (uri:"", local:"taskFilterSequence"). Expected elements are <{http://workflow.services.ewb.idbs.com}activeWorkflows>, ...

at org.jboss.resteasy.plugins.providers.jaxb.JAXBXmlTypeProvider.readFrom(JAXBXmlTypeProvider.java:109) [resteasy-jaxb-provider-3.0.4.Final.jar:]

at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:59) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:62) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:51) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:32) [resteasy-crypto-3.0.4.Final.jar:]

at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:150) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:88) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:111) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) [resteasy-jaxrs-3.0.4.Final.jar:]

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) [resteasy-jaxrs-3.0.4.Final.jar:]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Beta1.jar:1.0.0.Beta1]

at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:87) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:59) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:81)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:65) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:70) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:218) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:205) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:69) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:134) [undertow-servlet-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.server.HttpHandlers.executeRootHandler(HttpHandlers.java:36) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:619) [undertow-core-1.0.0.Beta17.jar:1.0.0.Beta17]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_21]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_21]

at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]

Caused by: javax.xml.bind.UnmarshalException: unexpected element (uri:"", local:"taskFilterSequence"). Expected elements are <{http://workflow.services.ewb.idbs.com}activeWorkflows>, ...

at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext.handleEvent(UnmarshallingContext.java:662)

at com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:258)

at com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:253)

at com.sun.xml.bind.v2.runtime.unmarshaller.Loader.reportUnexpectedChildElement(Loader.java:120)

at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext$DefaultRootLoader.childElement(UnmarshallingContext.java:1063)

at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext._startElement(UnmarshallingContext.java:498)

at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallingContext.startElement(UnmarshallingContext.java:480)

at com.sun.xml.bind.v2.runtime.unmarshaller.SAXConnector.startElement(SAXConnector.java:150)

at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.impl.dtd.XMLDTDValidator.startElement(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.impl.XMLDocumentScannerImpl$ContentDispatcher.scanRootElementHook(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) [xercesImpl-2.11.0.jar:]

at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) [xercesImpl-2.11.0.jar:]

at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:218)

at com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:190)

at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:119) [jboss-jaxb-api_2.2_spec-1.0.4.Final.jar:1.0.4.Final]

at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:102) [jboss-jaxb-api_2.2_spec-1.0.4.Final.jar:1.0.4.Final]

at org.jboss.resteasy.plugins.providers.jaxb.ExternalEntityUnmarshaller.unmarshal(ExternalEntityUnmarshaller.java:158) [resteasy-jaxb-provider-3.0.4.Final.jar:]

at org.jboss.resteasy.plugins.providers.jaxb.ExternalEntityUnmarshaller.unmarshal(ExternalEntityUnmarshaller.java:134) [resteasy-jaxb-provider-3.0.4.Final.jar:]

at org.jboss.resteasy.plugins.providers.jaxb.JAXBXmlTypeProvider.readFrom(JAXBXmlTypeProvider.java:95) [resteasy-jaxb-provider-3.0.4.Final.jar:]

... 40 more

1. Re: resteasy.document.expand.entity.references=false gives javax.xml.bind.UnmarshalException: unexpected element for POSTs

ctomc Oct 21, 2013 6:01 AM (in response to darrenjones)

Hey,

that would be best to be asked on RestEasy mailing lists (they don't use forums )
see RestEasy Project Mailing Lists - JBoss Community for how to reach them
Actions
2. Re: resteasy.document.expand.entity.references=false gives javax.xml.bind.UnmarshalException: unexpected element for POSTs

darrenjones Oct 21, 2013 10:53 AM (in response to ctomc)

Thank you! A colleague raised it over there. For reference, the URL is:

http://sourceforge.net/mailarchive/forum.php?thread_name=29D24E68A0C0D5439B403199FF7DFBC14F33455A%4020EXCHANGE2.idbs.co.uk&forum_name=resteasy-users
Actions

Go to original post