Home » Java » java – How to extend com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl and write own DocumentBuilderFactoryI for Weblogic 12C-Exceptionshub

java – How to extend com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl and write own DocumentBuilderFactoryI for Weblogic 12C-Exceptionshub

Posted by: admin February 25, 2020 Leave a comment

Questions:

To prevent XXE attack, I am trying to override default DocumentBuilderFactoryImpl for weblogic 12c and use my own parser.

I am trying below code.

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;

import com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl;

public class CustomDocumentBuilderFactoryImpl extends DocumentBuilderFactoryImpl  {

    @Override
    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
        System.out.println("*************************************************************************************");
        System.out.println("*************************************************************************************");
        System.out.println("Adding Features to DocumentBuilder.....");


        super.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
        super.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
        super.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
        super.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
        super.setFeature("http://apache.org/xml/features/dom/defer-node-expansion", false);
        super.setXIncludeAware(false);
        super.setExpandEntityReferences(false);
        System.out.println("Returning DocumentBuilder.....");
        System.out.println("*************************************************************************************");
        System.out.println("*************************************************************************************");
       return super.newDocumentBuilder();
    }

    @Override
    public void setAttribute(String name, Object value) throws IllegalArgumentException {
        // TODO Auto-generated method stub

    }

    @Override
    public Object getAttribute(String name) throws IllegalArgumentException {
        // TODO Auto-generated method stub
        return null;
    }

    @Override
    public void setFeature(String name, boolean value) throws ParserConfigurationException {
        // TODO Auto-generated method stub

    }

    @Override
    public boolean getFeature(String name) throws ParserConfigurationException {
        // TODO Auto-generated method stub
        return false;
    }

}

but with no luck.

Can anyone help me with this? Is there any way of doing this?

*****EDIT******

I have tried Spring-Security config to prevent XXE.

<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool" scope="singleton"
          init-method="initialize">
        <property name="builderFeatures">
            <map>
                <entry key="http://apache.org/xml/features/dom/defer-node-expansion" value="false"/>
                <entry key="http://javax.xml.XMLConstants/feature/secure-processing" value="true"/>
                <entry key="http://apache.org/xml/features/disallow-doctype-decl" value="true"/>
                <entry key="javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING" value="true"/>
            </map>
        </property>
<!--        <property name="builderFactory" ref="builderFactoryCustom"/>-->

        <property name="namespaceAware" value="true"/>
        <property name="expandEntityReferences" value="false"/>
    </bean>

This code is working with Tomcat but not working with Weblogic.

How to&Answers: