Prevent parsing XML files containing DTD using Jaxb2Marshaller

Question

I saw many solutions using XMLInputFactory, SAXParser and DocumentBuilderFactory. Our project is spring web service and the only thing we do is:

@Bean
public Jaxb2Marshaller unmarshaller() {
   Jaxb2Marshaller unmarshaller = new Jaxb2Marshaller();
   unmarshaller.setContextPath("foo");
   unmarshaller.setProcessExternalEntities(false);
   return unmarshaller;
}    

And then we pass this marshaller and unmarshaller to MarshallingPayloadMethodProcessor. So my question is if there is some property for Jaxb2Marshaller that will prevent DTD. Something like: unmarshaller.setProperty(foo.SUPPORT_DTD, false);

We have .xsd schema but in case of xml bomb the entity needs to be exanded for purpose of validation, so it seems like this is not the solution.

Answer 1

As far as I can see from the code, this must be the default behaviour.

In the JAXB RI there is a context property com.sun.xml.bind.disableXmlSecurity which is reasonably set to false by default. JAXB RI the uses this property when it creates the parser. So, at the end it configures the FEATURE_SECURE_PROCESSING feature of the parser:

        SAXParserFactory factory = SAXParserFactory.newInstance();
        if (LOGGER.isLoggable(Level.FINE)) {
            LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory);
        }
        factory.setNamespaceAware(true);
        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
        return factory;

You can also use the system property javax.xml.accessExternalDTD.

See also this answer:

How to disable DTD fetching using JAXB2.0

If you want to make it ever more secure, you may write and configure your own entity resolver.