The classes for a fairly simple test case to replicate the issue is given below:
@XmlRootElement
public class AbcMessage {
@XmlElement(required = true)
private String message;
public AbcMessage() { }
public AbcMessage(String message)
{
this.message = message;
}
public String getMessage()
{
return message;
}
}
@Path("/")
public class AbcServiceImpl {
@POST
public void postMessage(AbcMessage message)
{
System.out.println(message.getMessage());
}
}
And it's also key to have the following package-info.java file in the same package as the AbcMessage:
@javax.xml.bind.annotation.XmlSchema(namespace = "http://abc.com",
elementFormDefault = javax.xml.bind.annotation.XmlNsForm.QUALIFIED)
package com.test.abc;
Here's the web.xml:
<web-app>
<servlet-mapping>
<servlet-name>javax.ws.rs.core.Application</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>resteasy.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
</web-app>
If the package-info.java file is removed, the POSTs succeed. (the package-info's are created by xjc, so it is valid for them to be there)
Alternatively, if the expand.entity.references settings are set to true, the POSTs also succeed (but that introduces the XXE vulnerability).
I have a fix prepared, which is to fix a problem in the ExternalEntityUnmarshaller class, which is used when expand.entity.references is false.
In the public unmarshal(Source, Class<T>) method, I add another setFeature to the created xmlReader:
xmlReader.setFeature( "http://xml.org/sax/features/namespaces", true);
The xmlReader is then namespace aware and the JAXBUnmarshalException is not thrown any more.
(I originally raised the question on the WildFly forums, but at the time I did not have a simple test case to replicate the problem).
Bug
Major
