使用JAXB + Spring RESTful Web服务防止XXE（外部实体处理）攻击

本文介绍了使用JAXB + Spring RESTful Web服务防止XXE（外部实体处理）攻击的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我知道我们可以通过在JAXB中将抽象类XMLInputFactory中的属性IS_SUPPORTING_EXTERNAL_ENTITIES设置为false来阻止XXE攻击。

I know that we can prevent the XXE attack by setting the property IS_SUPPORTING_EXTERNAL_ENTITIES in the abstract class XMLInputFactory to false in JAXB.

我也看到了这个 stackoverflow答案。

我的问题在这里是，

如何在Spring应用程序加载时创建XMLInputFactory实例并将此IS_SUPPORTING_EXTERNAL_ENTITIES属性设置为false。并且该特定XMLInputFactory实例仅应用于使用javax.xml.bind.annotation包的所有类的所有JAXB转换。

How do I create a instance of XMLInputFactory and set this IS_SUPPORTING_EXTERNAL_ENTITIES property to false when the spring application loads up. And that particular XMLInputFactory instance should only be used for all the JAXB conversion for all the classes that uses javax.xml.bind.annotation package.

推荐答案

Spring使用RequestMappingHandlerAdapter，它是一个AbstractHandlerMethodAdapter，它支持HandlerMethods，其签名方法参数和返回类型在@RequestMapping中定义。

Spring uses RequestMappingHandlerAdapter which is an AbstractHandlerMethodAdapter that supports HandlerMethods with the signature -- method argument and return types, defined in @RequestMapping.

共有7个HttpMessageConverters，其中一个是Jaxb2RootElementHttpMessageConverter

There are 7 seven HttpMessageConverters and one of them is Jaxb2RootElementHttpMessageConverter

Jaxb2RootElementHttpMessageConverter来自spring-web包。

Jaxb2RootElementHttpMessageConverter is from the spring-web package.

从Spring-web的3.2.8版开始，Jaxb2RootElementHttpMessageConverter将processExternalEntities设置为false，然后将XMLInputFactory属性IS_SUPPORTING_EXTERNAL_ENTITIES设置为false。

From 3.2.8 version of spring-web onwards Jaxb2RootElementHttpMessageConverter sets the processExternalEntities to false which in turn sets the XMLInputFactory property IS_SUPPORTING_EXTERNAL_ENTITIES to false.

参考：

grepcode/file/repo1.maven /maven2/org.springframework/spring-web/3.2.8.RELEASE/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java?av=f

答案使用 < dependency> < groupId> org.springframework< / groupId> < artifactId> spring-web< / artifactId> < version> 3.2.8.RELEASE< / version> < / dependency>