Hi,
How can i disable the doctype declarations, to prevent xxe injection? At the moment, I'm using JBoss 4.2.3 with JBossWS 3.1.1. and i can do stuff like this:
<!DOCTYPE root
[
<!ENTITY xxe SYSTEM "/windows/system32/drivers/etc/hosts">
]>
And inject the xxe entity in my soap parameters. How can i prevent this from happening? I found this page http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html#JAXP_security, which speaks about disabling the dtd declarations. Is this the way to go? Or is there some other way?
Best Regards
Roberto Cortez