Bug 1382321

Summary: Mention danger of XXE attack if some resteasy parameters are set to non default values
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Katerina Odabasi <kanovotn>
Component: DocumentationAssignee: sgilda
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.4.10CC: ahoffer, eap-docs, sgilda, sjay
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-02 12:25:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Katerina Odabasi 2016-10-06 11:07:42 UTC 
Document URL: 
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Development_Guide/index.html#sect-JAX-RS_Web_Service_Security

Section Number and Name: 
15.6. JAX-RS Web Service Security

Describe the issue: 
Resteasy has three parameters which are protection against XML external entity attack.
These parameters are have default values set in a way that resteasy is protected against it.

This chapter shoul contain warning that changing default values of these three parameters may cause REST application to be potentially vulnerable against XXE attack.

The mentioned parameters are:

    resteasy.document.expand.entity.references
    resteasy.document.secure.processing.feature
    resteasy.document.secure.disableDTDs
    (all documented in A.2. RESTEasy Configuration Parameters chapter)


Suggestions for improvement: 

Additional information:
Comment 1 sgilda 2017-01-05 20:11:44 UTC 
@nchauda fixed this for 7.1. I will apply the same fix to 6.4.
Comment 6 sgilda 2017-02-15 16:41:28 UTC 
This update is to the Development Guide.
Comment 7 sgilda 2017-02-17 00:12:43 UTC 
Content is updated on the portal here: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Development_Guide/index.html#Enable_Role-Based_Security_for_a_RESTEasy_JAX-RS_Web_Service