1 Reply Latest reply on Sep 10, 2012 7:43 AM by timlambert

How to enable RESTEasy XXE for JBoss 7.1

timlambert Sep 7, 2012 4:03 PM

Per the fix for RESTEasy XXE issues...
https://issues.jboss.org/browse/RESTEASY-637

https://issues.jboss.org/browse/RESTEASY-647

...I'm trying to set 'resteasy.document.expand.entity.references' to false.

I've been able get the desired RESTEasy behavior if I set the property as a context-param in my web.xml. Note that I'm not setting up RESTEasy in any other way within my web.xml; just setting the context-param.

<context-param>

<param-name>resteasy.document.expand.entity.references</param-name>

<param-value>false</param-value>

</context-param>

However this only works if my app is the first JAXRS endpoint to be invoked after the server is started. If another web app is using JAXRS and its endpoint is invoked first then RESTEasy is initialized without the desired property. Subsequently when my my app's JAXRS endpoint is invoked, RESTEasy does the entity expansion; i.e. is not configured with the above property.

So how can I cleanly globally configure RESTEasy?

Things I've considered trying...

1) Remove the RESTEasy module from base JBoss; i.e. move back to per app RESTEasy setup via web.xml. Is this do-able?

2) Put the above context-param in every web app. But is fragile in case another app happens to get deployed without the param.

3) Find a way to globally set the property. The desired strategy.

1. Re: How to enable RESTEasy XXE for JBoss 7.1

timlambert Sep 10, 2012 7:43 AM (in response to timlambert)

Of course in my subject line, I meant "How to enable RESTEasy XXE ***Fixes*** for JBoss 7.1".
Actions