Is it possible to prevent an xxe attack on web service deployed on jboss 4.2 somehow? WS is defined by annotation. I can not find any configuration to disable supporting external entities and dtd.
In this post (Prevent XXE Attack with JAXB) is a solution for parsing soap in servlet, but i need something for annotated WS.
After long hours of debuging jboss's code I've found a fix for XXE attack on jboss 4.2.2
In DOMUtils.class (located in jbossws-common.jar) I've added extra features on DocumentBuilderFactory instance:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
It solves the problem.