Java 如何扩展com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl并为Weblogic 12C编写自己的DocumentBuilderFactoryI
为了防止XXE攻击,我尝试覆盖weblogic 12c的默认DocumentBuilderFactoryImpl,并使用我自己的解析器 我正在尝试下面的代码Java 如何扩展com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl并为Weblogic 12C编写自己的DocumentBuilderFactoryI,java,spring-security,weblogic12c,jaxp,xxe,Java,Spring Security,Weblogic12c,Jaxp,Xxe,为了防止XXE攻击,我尝试覆盖weblogic 12c的默认DocumentBuilderFactoryImpl,并使用我自己的解析器 我正在尝试下面的代码 import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.ParserConfigurationException; import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;
import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl;
public class CustomDocumentBuilderFactoryImpl extends DocumentBuilderFactoryImpl {
@Override
public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
System.out.println("*************************************************************************************");
System.out.println("*************************************************************************************");
System.out.println("Adding Features to DocumentBuilder.....");
super.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
super.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
super.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
super.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
super.setFeature("http://apache.org/xml/features/dom/defer-node-expansion", false);
super.setXIncludeAware(false);
super.setExpandEntityReferences(false);
System.out.println("Returning DocumentBuilder.....");
System.out.println("*************************************************************************************");
System.out.println("*************************************************************************************");
return super.newDocumentBuilder();
}
@Override
public void setAttribute(String name, Object value) throws IllegalArgumentException {
// TODO Auto-generated method stub
}
@Override
public Object getAttribute(String name) throws IllegalArgumentException {
// TODO Auto-generated method stub
return null;
}
@Override
public void setFeature(String name, boolean value) throws ParserConfigurationException {
// TODO Auto-generated method stub
}
@Override
public boolean getFeature(String name) throws ParserConfigurationException {
// TODO Auto-generated method stub
return false;
}
}
但是没有运气
有人能帮我吗?有没有办法做到这一点
*****编辑******
我已经尝试了Spring安全配置来防止XXE
<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" scope="singleton"
init-method="initialize">
<property name="builderFeatures">
<map>
<entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
<entry key="http://javax.xml.XMLConstants/feature/secure-processing" value="true"/>
<entry key="http://apache.org/xml/features/disallow-doctype-decl" value="true"/>
<entry key="javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING" value="true"/>
</map>
</property>
<!-- <property name="builderFactory" ref="builderFactoryCustom"/>-->
<property name="namespaceAware" value="true"/>
<property name="expandEntityReferences" value="false"/>
</bean>
这段代码使用Tomcat,但不使用Weblogic。但没有运气”到底是什么意思?不编译?不工作的代码?XXE是否已执行?XXE是否仍在执行ID您尝试使用此:
factory.setFeature(“http://apache.org/xml/features/disallow-doctype-decl“,对);factory.setFeature(“http://xml.org/sax/features/external-general-entities“,假);factory.setFeature(“http://xml.org/sax/features/external-parameter-entities“,假)代码>