XSD Validator works in JBoss Fuse, not in Eclipse

Solution In Progress - Updated -

Environment

  • JBoss Fuse 6.0

Issue

I have developed a Camel route in which there is an XSD validation.
When the route is deployed under JBoss Fuse, it works.
But When I try to unit test it from Eclipse, I have the following exception and the route doesn's start:

org.xml.sax.SAXParseException; lineNumber: 1781; columnNumber: 82; Current configuration of the parser doesn't allow a maxOccurs attribute value to be set greater than the value 5 000.

Resolution

In some scenarios and for testing purposes the secure processing feature can be turned off by calling the setFeature method on factories. The following code turns the feature off:

import javax.xml.XMLConstants;
import javax.xml.validation.SchemaFactory;

import org.apache.camel.ContextTestSupport;
import org.apache.camel.impl.JndiRegistry;


   // Need to bind the CustomerSchemaFactory
    protected JndiRegistry createRegistry() throws Exception {
          JndiRegistry registry = super.createRegistry();
          SchemaFactory mySchemaFactory =  SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
          mySchemaFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
          registry.bind("MySchemaFactory", mySchemaFactory);
          return registry;
    }

    // just inject the SchemaFactory as we want
    public void testCustomSchemaFactory() throws Exception {
          ValidatorComponent v = new ValidatorComponent();
          v.setCamelContext(context);
          v.createEndpoint("validator:org/apache/camel/component/validator/unsecuredSchema.xsd?schemaFactory=#MySchemaFactory");

Root Cause

JAXP uses a security processing feature which instructs JAXP components such as parsers, transformers and so on to behave in a secure fashion. The sucure processing feature is turned on by default which provides a couple of limitations on DOM and SAX parsers such as "entityExpansionLimit" and elementAttributeLimit. In addition to this limitations a new maxOccur limit is added to the validating parser that controls the XML constructs e.g. xsd:sequence to use space (memory) proportional to the value of a minOccurs/ maxOccurs. This may cause the VM to run out of memory, or simply run for a very long time. This may cause the VM to run out of memory, or simply run for a very long time. To prevent potential attacks that exploit this behavior, secure processing can be enabled on a factory as follows:

factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);

NOTE: JBoss Fuse uses Apache Xerces as an implementation of JAXP and overwrites the oracle's JAXP by placing the jar into lib/endorsed directory and it doesn't have the security check of maxOccurs so far.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.