Hello, I've bumped to "Cannot create a secure XMLInputFactory" issue.
The reason is probably this one (copied from stackoverflow): ******************* Since version 2.7.4, CXF added a feature in order to ensure that the XMLInputFactory is secured and loaded from woodstox (>= 4.2.x packages, see StaxUtil implementation) in order to deal with a Denial of Service vulnerability But the fact is that in a J2EE environment, by default, webservices-rt.jar has the priority over war libs (and then over the woodstock jar). That is why the non-secure implementation is loaded, triggering the exception. Turning off the org.apache.cxf.stax.allowInsecureParser property, is not an option as it brings back the DOS vulnerability. In order to make the class loader to prefer woodstox (ear/war lib) over webservices-rt.jar (j2ee lib), the solution depends on your application server and is described in CXF application server specific configuration guide. ******************* Unfortunatelly there's no advice for the Tomcat on that mentioned guide. Does anybody have an idea? Many thanks, Petr P.S. Stackoverflow link: http://stackoverflow.com/questions/20114945/cxf-web-service-client-cannot-cr eate-a-secure-xmlinputfactory --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
