编辑:Restlet 2.2和主要(未来2.3)分支中的31 / OCT / 2014 The fix for this is now available
我们的Netbeans Platform Restlet客户端应用程序在Java 1.6上运行正常但是在1.7.0_11时,我收到安全运行时错误。
有一种简单的方法可以防止这种情况吗?
WARN org.restlet.log():241 - Unable to unmarshal the XML representation
javax.xml.bind.JAXBException: Unable to create customized SAX source
- with linked exception:
[javax.xml.parsers.ParserConfigurationException: FEATURE_SECURE_PROCESSING: Cannot set the feature to false when security manager is present.]
at org.restlet.ext.jaxb.internal.Unmarshaller.unmarshal(Unmarshaller.java:201)
at org.restlet.ext.jaxb.JaxbRepresentation.getObject(JaxbRepresentation.java:417)
at org.restlet.ext.jaxb.JaxbConverter.toObject(JaxbConverter.java:172)
at org.restlet.service.ConverterService.toObject(ConverterService.java:167)
at org.restlet.resource.Resource.toObject(Resource.java:828)
at org.restlet.engine.resource.ClientInvocationHandler.invoke(ClientInvocationHandler.java:240)
<SNIP>
Caused by: javax.xml.parsers.ParserConfigurationException: FEATURE_SECURE_PROCESSING: Cannot set the feature to false when security manager is present.
at com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl.setFeature(SAXParserFactoryImpl.java:122)
at org.restlet.ext.jaxb.internal.Unmarshaller.unmarshal(Unmarshaller.java:190)
... 23 more
在两个java运行时,我的System.getSecurityManager() 是org.netbeans.TopSecurityManager的实例
在Simon Lehmann的回答中提到对Restlet源的更多研究后,我看到JaxbConverter.java
调用了
new JaxbRepresentation<T>(Representation source, Class<T> target).getObject();
然后......
public JaxbRepresentation(Representation xmlRepresentation, Class<T> type) { ...}
然后......
public JaxbRepresentation(Representation xmlRepresentation, String contextPath, ValidationEventHandler validationHandler, ClassLoader classLoader) {
super((xmlRepresentation == null) ? null : xmlRepresentation
.getMediaType());
this.classLoader = classLoader;
this.contextPath = contextPath;
this.object = null;
this.validationEventHandler = validationHandler;
this.xmlRepresentation = xmlRepresentation;
}
在这个特定的构造函数中,this.secureProcessing
始终保持为false,因此如果存在任何安全管理器,我们会在XML解析器的Java 7安全处理功能中出现错误。
不确定这是否是restlet中的错误或者我做错了什么?
我在1.7.0_11上写了一个小的restlet客户端测试程序,它可以和我们的服务器一起使用。我在我的完整客户端应用程序中猜测类路径中有什么“坏”?
在小型应用和完整应用I [{3}}中,两者都相同:
[exec] DocumentBuilderFactory implementation: com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl loaded from: Java Runtime
[exec] XPathFactory implementation: com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl loaded from: Java Runtime
[exec] TransformerFactory implementation: com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl loaded from: Java Runtime
[exec] SAXParserFactory implementation: com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl loaded from: Java Runtime
我通过System.setProperty(“jaxp.debug”,“true”)打开额外的JAXP日志记录;并且看到它们各不相同:
小型工作应用
[junit] JAXP: find factoryId =javax.xml.datatype.DatatypeFactory
[junit] JAXP: loaded from fallback value: com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl
[junit] JAXP: created new instance of class com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl using ClassLoader: null
[junit] JAXP: find factoryId =javax.xml.datatype.DatatypeFactory
[junit] JAXP: loaded from fallback value: com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl
[junit] JAXP: created new instance of class com.sun.org.apache.xerces.internal.jaxp.datatype.DatatypeFactoryImpl using ClassLoader: null
[junit] JAXP: using thread context class loader (sun.misc.Launcher$AppClassLoader@6c5bdfae) for search
[junit] JAXP: Looking up system property 'javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom'
[junit] JAXP: The property is undefined.
[junit] JAXP: found null in $java.home/jaxp.properties
[junit] JAXP: no META-INF/services/javax.xml.xpath.XPathFactory file was found
[junit] JAXP: attempting to use the platform default W3C DOM XPath lib
[junit] JAXP: createInstance(com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl)
[junit] JAXP: loaded com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl from jar:file:/Library/Java/JavaVirtualMachines/jdk1.7.0_11.jdk/Contents/Home/jre/lib/rt.jar!/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.class
[junit] JAXP: factory 'com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl' was found for http://java.sun.com/jaxp/xpath/dom
[junit] JAXP: find factoryId =javax.xml.transform.TransformerFactory
[junit] JAXP: loaded from fallback value: com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
[junit] JAXP: created new instance of class com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl using ClassLoader: null
Full Netbeans app(失败)
[exec] JAXP: using thread context class loader (SystemClassLoader[420 modules]) for search
[exec] JAXP: Looking up system property 'javax.xml.xpath.XPathFactory:http://java.sun.com/jaxp/xpath/dom'
[exec] JAXP: The property is undefined.
[exec] JAXP: found null in $java.home/jaxp.properties
[exec] JAXP: no META-INF/services/javax.xml.xpath.XPathFactory file was found
[exec] JAXP: attempting to use the platform default W3C DOM XPath lib
[exec] JAXP: createInstance(com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl)
[exec] JAXP: loaded com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl from jar:file:/Library/Java/JavaVirtualMachines/jdk1.7.0_11.jdk/Contents/Home/jre/lib/rt.jar!/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.class
[exec] JAXP: factory 'com.sun.org.apache.xpath.internal.jaxp.XPathFactoryImpl' was found for http://java.sun.com/jaxp/xpath/dom
[exec] JAXP: find factoryId =javax.xml.transform.TransformerFactory
[exec] JAXP: found jar resource=META-INF/services/javax.xml.transform.TransformerFactory using ClassLoader: SystemClassLoader[420 modules]
[exec] JAXP: loaded from fallback value: com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
[exec] JAXP: created new instance of class com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl using ClassLoader: null
答案 0 :(得分:1)
看起来,JDK 7(Oracle以及OpenJDK / IcedTea)添加了一个检查,以防止在存在任何安全管理器时禁用XML解析器的所谓secure processing feature。此功能旨在防止拒绝服务攻击,例如通过提供具有深层嵌套实体定义的SOAP消息。不幸的是,他们在找到安全管理员时选择了disable control over this feature in general,而不允许您通过security permissions进行配置。
但是,restlet code which tries to set this feature to false实际上使用的是secureProcessing
property of the JaxbRepresentation,默认情况下应设置为true,因此不应导致任何异常。
所以我能给你的唯一一个尝试是尝试更新restlet库,因为默认设置或与此相关的其他内容已经改变。
答案 1 :(得分:1)
当我从在Java 6上运行的restlet 2.2m1升级到在Java 7上运行的restlet 2.2m5时,我遇到了同样的问题 -
我使用的解决方案是将您提到的JaxbRepresentation构造函数中的secureProcessor标志初始化为true(并重建restlet代码)。这解决了我的问题。目前尚不清楚该构造函数中缺少初始化secureProcessing标志是故意还是疏忽。
我提交了一个关于它的错误: https://github.com/restlet/restlet-framework-java/issues/785