Hide Forgot
Document URL: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Development_Guide/index.html#sect-JAX-RS_Web_Service_Security Section Number and Name: 15.6. JAX-RS Web Service Security Describe the issue: Resteasy has three parameters which are protection against XML external entity attack. These parameters are have default values set in a way that resteasy is protected against it. This chapter shoul contain warning that changing default values of these three parameters may cause REST application to be potentially vulnerable against XXE attack. The mentioned parameters are: resteasy.document.expand.entity.references resteasy.document.secure.processing.feature resteasy.document.secure.disableDTDs (all documented in A.2. RESTEasy Configuration Parameters chapter) Suggestions for improvement: Additional information:
@nchauda fixed this for 7.1. I will apply the same fix to 6.4.
This update is to the Development Guide.
Content is updated on the portal here: https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/html-single/Development_Guide/index.html#Enable_Role-Based_Security_for_a_RESTEasy_JAX-RS_Web_Service