1 Reply Latest reply on Mar 7, 2016 12:25 PM by Vismay h

    how to configure SAXParser of JbossWS

    Vismay h Newbie

      we found webservice written using jbossWS (jax-ws) are vulnerable to External XML injection attack.

      one of the way to mitigate this issue is by configuring the SAXFactory instance.

      i.e factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

       

      The webservices are implemented with @webservice and @webmethod and Endpoint Interfaces and no where we are creating SAXFactory instances.

       

      Where should I make this changes? I have no idea where JbossWS makes the SAXFactory instances.

      we use jboss version 6.0