Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-996

POSTs give JAXBUnmarshalException if @XmlSchema annotation present and expand.entity.references is false

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 3.0.7.Final
    • 2.3.7.Final, 3.0.4.Final
    • jaxrs
    • None
    • Hide

      The classes for a fairly simple test case to replicate the issue is given below:

      @XmlRootElement
      public class AbcMessage {
      @XmlElement(required = true)
      private String message;

      public AbcMessage() { }

      public AbcMessage(String message)

      { this.message = message; }

      public String getMessage()

      { return message; }

      }

      @Path("/")
      public class AbcServiceImpl {
      @POST
      public void postMessage(AbcMessage message)

      { System.out.println(message.getMessage()); }

      }

      And it's also key to have the following package-info.java file in the same package as the AbcMessage:

      @javax.xml.bind.annotation.XmlSchema(namespace = "http://abc.com",
      elementFormDefault = javax.xml.bind.annotation.XmlNsForm.QUALIFIED)
      package com.test.abc;

      Here's the web.xml:

      <web-app>
      <servlet-mapping>
      <servlet-name>javax.ws.rs.core.Application</servlet-name>
      <url-pattern>/*</url-pattern>
      </servlet-mapping>

      <context-param>
      <param-name>resteasy.document.expand.entity.references</param-name>
      <param-value>false</param-value>
      </context-param>
      <context-param>
      <param-name>resteasy.expand.entity.references</param-name>
      <param-value>false</param-value>
      </context-param>
      </web-app>

      If the package-info.java file is removed, the POSTs succeed. (the package-info's are created by xjc, so it is valid for them to be there)

      Alternatively, if the expand.entity.references settings are set to true, the POSTs also succeed (but that introduces the XXE vulnerability).

      I have a fix prepared, which is to fix a problem in the ExternalEntityUnmarshaller class, which is used when expand.entity.references is false.
      In the public unmarshal(Source, Class<T>) method, I add another setFeature to the created xmlReader:

      xmlReader.setFeature( "http://xml.org/sax/features/namespaces", true);

      The xmlReader is then namespace aware and the JAXBUnmarshalException is not thrown any more.

      (I originally raised the question on the WildFly forums, but at the time I did not have a simple test case to replicate the problem).

      Show
      The classes for a fairly simple test case to replicate the issue is given below: @XmlRootElement public class AbcMessage { @XmlElement(required = true) private String message; public AbcMessage() { } public AbcMessage(String message) { this.message = message; } public String getMessage() { return message; } } @Path("/") public class AbcServiceImpl { @POST public void postMessage(AbcMessage message) { System.out.println(message.getMessage()); } } And it's also key to have the following package-info.java file in the same package as the AbcMessage: @javax.xml.bind.annotation.XmlSchema(namespace = "http://abc.com", elementFormDefault = javax.xml.bind.annotation.XmlNsForm.QUALIFIED) package com.test.abc; Here's the web.xml: <web-app> <servlet-mapping> <servlet-name>javax.ws.rs.core.Application</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <context-param> <param-name>resteasy.document.expand.entity.references</param-name> <param-value>false</param-value> </context-param> <context-param> <param-name>resteasy.expand.entity.references</param-name> <param-value>false</param-value> </context-param> </web-app> If the package-info.java file is removed, the POSTs succeed. (the package-info's are created by xjc, so it is valid for them to be there) Alternatively, if the expand.entity.references settings are set to true, the POSTs also succeed (but that introduces the XXE vulnerability). I have a fix prepared, which is to fix a problem in the ExternalEntityUnmarshaller class, which is used when expand.entity.references is false. In the public unmarshal(Source, Class<T>) method, I add another setFeature to the created xmlReader: xmlReader.setFeature( "http://xml.org/sax/features/namespaces", true); The xmlReader is then namespace aware and the JAXBUnmarshalException is not thrown any more. (I originally raised the question on the WildFly forums, but at the time I did not have a simple test case to replicate the problem).

      When I have a simple service deployed in WildFly 8.0.0.Beta1, such that:
      1. The package containing the JAXB data classes has a @javax.xml.bind.annotation.XmlSchema annotation
      2. The web service method being called is a POST
      3. XXE attacks are prevented using the resteasy.expand.entity.references=false parameters in web.xml

      I receive the following exception message:

      Failed executing POST /: org.jboss.resteasy.plugins.providers.jaxb.JAXBUnmarshalException: javax.xml.bind.UnmarshalException: unexpected element (uri:"", local:"abcMessage"). Expected elements are <

      {http://abc.com}

      abcMessage>

      This does work in RestEasy 3.0.3.

              rsigal@redhat.com Ronald Sigal
              darrenjones_jira Darren Jones (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: