we found webservice written using jbossWS (jax-ws) are vulnerable to External XML injection attack.
one of the way to mitigate this issue is by configuring the SAXFactory instance.
i.e factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
The webservices are implemented with @webservice and @webmethod and Endpoint Interfaces and no where we are creating SAXFactory instances.
Where should I make this changes? I have no idea where JbossWS makes the SAXFactory instances.
we use jboss version 6.0