CXF web service client: "Cannot create a secure XMLInputFactory"

Question

I am wrote and deployed a CXF web service into a Tomcat server using the instructions here. The web service deploys fine as I can see the WSDL file in a web browser.

My standalone Java client program doesn't work though. Here is the code:

System.out.println("Creating client"); Properties properties = System.getProperties(); properties.put("org.apache.cxf.stax.allowInsecureParser", "1"); System.setProperties(properties); JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); factory.setServiceClass(ExampleWebService.class); factory.setAddress("http://X.X.X.X:9090/WebServices/ExampleWebService"); ExampleWebService exampleWebService = (ExampleWebService)factory.create(); System.out.println("Done creating client"); exampleWebService.method1("test"); System.out.println("After calling method1"); 

I copied all the jar files (including the woodstox-core-asl-4.2.0.jar file) from the CXF 2.7.7 distribution into the client program's classpath, and when I run the client I get the following exception:

Creating client Nov 20, 2013 8:05:26 PM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromClass INFO: Creating Service {http://webservices.server/}ExampleWebServiceService from class server.webservices.ExampleWebService Done creating client javax.xml.ws.soap.SOAPFaultException: Cannot create a secure XMLInputFactory     at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:157)     at $Proxy38.printString(Unknown Source)     at ExampleNmsWebServiceClient.printString(ExampleNmsWebServiceClient.java:29)     at ExampleNmsWebServiceClient.main(ExampleNmsWebServiceClient.java:40) Caused by: org.apache.cxf.binding.soap.SoapFault: Cannot create a secure XMLInputFactory     at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:84)     at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:51)     at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:40)     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)     at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)     at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)     at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)     at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606)     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502)     at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)     at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)     at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)     at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)     at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)     at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)     at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)     at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)     ... 3 more 

I found a page saying the "Cannot create a secure XMLInputFactory" can be fixed by setting the org.apache.cxf.stax.allowInsecureParser property to "1", which is why I tried to set it in the System properties, but that didn't work. I also tried to add -Dorg.apache.cxf.stax.allowInsecureParser=1 to the java command that runs the client, but that didn't work either. (Nor did setting it to "true" instead of 1.) Any ideas on how to solve this error?

Answer 1

Had this problem when upgrading from CXF 2.3.x to 2.7.x

Added stax2-api and woodstox-core-asl jars from the 2.7.x CXF distribution and the webservice works again.

Answer 2

Since version 2.7.4, CXF added a feature in order to ensure that the XMLInputFactory is secured and loaded from woodstox (>= 4.2.x packages, see StaxUtil implementation) in order to deal with a Denial of Service vulnerability

But the fact is that in a J2EE environment, by default, webservices-rt.jar has the priority over war libs (and then over the woodstock jar). That is why the non-secure implementation is loaded, triggering the exception.

Turning off the org.apache.cxf.stax.allowInsecureParser property, is not an option as it brings back the DOS vulnerability.

In order to make the class loader to prefer woodstox (ear/war lib) over webservices-rt.jar (j2ee lib), the solution depends on your application server and is described in CXF application server specific configuration guide