我正在尝试向现有cxf端点添加属性,以避免某些安全漏洞。另外,还有一本指南描述了我要达到的目标-https://svn.apache.org/repos/asf/cxf/trunk/security/CVE-2010-2076.pdf,但由于某种原因,它无法按预期运行。这是我的端点xml配置:
<jaxws:endpoint id="serviceEndpoint"
serviceName="t:Data" implementor="#service" address="/soap/service">
<jaxws:properties>
<entry key="ws-security.ut.validator">
<bean class="my.validator.test.UsernameTokenValidator" >
<property name="authenticationManager" ref="authenticationManager" />
</bean>
</entry>
<entry key="schema-validation-enabled"><ref bean="isValidateIncomingEAIMessages" /></entry>
<entry key="javax.xml.stream.XMLInputFactory">
<bean class="my.services.ParserFactory" factory-method="createFactory"/>
</entry>
</jaxws:properties>
</jaxws:endpoint>
还有ParserFactory类:
public class ParserFactory {
public static XMLInputFactory createFactory() {
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
factory.setXMLResolver(new XMLResolver() {
public Object resolveEntity(String publicID, String systemID,
String baseURI, String namespace)
throws XMLStreamException {
throw new XMLStreamException("Reading external entities is disabled");
}
});
return factory;
}
}
当我部署应用程序时,我看到它调用了ParserFactory类,但是我希望在与/ soap / service端点相关的每个soap请求之后都能调用它。我想念什么吗?