how to configure SAXParser of JbossWS

vismay2011 Mar 2, 2016 12:27 PM

we found webservice written using jbossWS (jax-ws) are vulnerable to External XML injection attack.

one of the way to mitigate this issue is by configuring the SAXFactory instance.

The webservices are implemented with @webservice and @webmethod and Endpoint Interfaces and no where we are creating SAXFactory instances.

Where should I make this changes? I have no idea where JbossWS makes the SAXFactory instances.

we use jboss version 6.0

1. Re: how to configure SAXParser of JbossWS

vismay2011 Mar 7, 2016 12:25 PM (in response to vismay2011)

It is said here Disable DTD declaration this issue has been fixed in Jbossws 3.31. can someone help me to find the BUG ID so that I can pull the changes.
Actions