resteasy March 2018

resteasy@lists.jboss.org

2 participants
2 discussions

by Wang Veronica

Hi experts, We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test. Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10. We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json). Is there a simple resteasy configuration to disable support of application/xml? Thanks, Veronica

2 weeks, 3 days

5
4
0 / 0

Integrating WADL into webapp running in Wildfly 11

by Simon Poet

Hi, I have started putting together some JAX-RS endpoints for my app. I would like to have a WADL for the whole app. So following the User Guide I have added the following dependencies to my pom <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-jaxrs</artifactId> <version>3.0.24.Final</version> <scope>provided</scope> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-wadl</artifactId> <version>3.0.24.Final</version> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-wadl-undertow-connector</artifactId> <version>3.0.24.Final</version> </dependency> <dependency> <groupId>org.jboss.resteasy</groupId> <artifactId>resteasy-undertow</artifactId> <version>3.0.24.Final</version> </dependency> I have put in place a simple class to enable the JAX-RS endpoints @ApplicationPath("/") public class RestApp extends Application { } The JAX-RS end points are working as expected. When I try the wadl endpoint /application.xml. I get the following : <application xmlns="http://wadl.dev.java.net/2009/02"/> So it looks like I am missing the endpoints from the WADL I have overridden the json serialization/deserialization so that it uses Gson I see a code example in the user guide UndertowJaxrsServer server = new UndertowJaxrsServer().start(); WadlUndertowConnector connector = new WadlUndertowConnector(); connector.deployToServer(server, MyApp.class); Do I need to add this code somewhere? Thanks in advance Cheers, Simon -- Simon Poet Software Developer Miles33

7 years, 6 months

2
4
0 / 0

← Newer
1
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

resteasy March 2018