How to configure org.apache.cxf.jaxrs.provider.JAXBElementProvider to prevent XXE attack

Question

I am using CXF (JAX RS) for rest services and default JAXBElementProvider for xml request/response marshaling/unmarshaling. Everything works fine ..but now I want to prevent XXE attacks in XML request which by default JAXBElementProvider does not do. How to configure xxe prevention parameters in below declaration?

<bean id="jaxbProvider" class="org.apache.cxf.jaxrs.provider.JAXBElementProvider">

<jaxrs:server id="myendpoint" address="/">
<jaxrs:providers>
<ref bean="jaxbProvider"/>
<ref bean="jsonProvider"/>
</jaxrs:providers>
<jaxrs:extensionMappings>
<entry key="json" value="application/json"/>
<entry key="xml" value="application/xml"/>
</jaxrs:extensionMappings>
</jaxrs:server>

Answer 1

According to CXF Security Advisory CVE-2010-2076, XXE attacks should be mitigated in CXF default configuration. This is assuming you are using the latest (or a fairly recent) version of CXF, and you did not set the org.apache.cxf.stax.allowInsecureParser system property as mentioned in XML security section of CXF doc. The Woodstox parser library must be on your classpath to be picked up by CXF as default XMLInputFactory.

You can also use a custom XMLInputFactory to suit your needs (e.g. disable other parsing features for security) as told in section 4.2 of the security advisory, but this should not be needed in most cases. For example,

<jaxrs:server id="myendpoint" address="/">    
  <jaxrs:properties>            
    <entry key="javax.xml.stream.XMLInputFactory">                
      <bean class="your.own.ParserFactory" factory-method="createFactory"/>   
    </entry>        
  </jaxrs:properties>    
</jaxrs:server>

Then, in your own your.own.ParserFactory#createFactory(), start with:

XMLInputFactory factory = XMLInputFactory.newInstance();

and set the properties you want on the factory, among the ones supported by the Woodstox XMLInputFactory.