I just found this question in my mailbox - sorry it took so long.
By default, Resteasy is configured to avoid a variety of security
problems, including XXE. For example, it sets
"http://javax.xml.XMLConstants/feature/secure-processing" to "true" by
Removing application/xml would be difficult, since it's one of the media
types that the JAX-RS spec requires support for.
Note that implementations of Xerces, the XML parser, get more secure
over time, guarding against more and more possible attacks. There's a
version of Xerces in the JDK, so using a newer JDK, if you can, isn't a
On 07/12/2017 10:49 PM, Wang Veronica wrote:
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.
Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set
resteasy.document.expand.entity.references parameter to false explicitly. A more complete
fix seems to have been done after 3.0.10.
We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not
to support XML Media type (we actually need to support json only). Is this a feasible
approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API
code, we currently declare consume and produce annotations to support application/xml and
Is there a simple resteasy configuration to disable support of application/xml?
resteasy mailing list
My company's smarter than your company (unless you work for Red Hat)