java.lang.RuntimeException:在 Glassfish 上部署时无法创建安全的 XMLInputFactory
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/27035304/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
java.lang.RuntimeException: Cannot create a secure XMLInputFactory when deploying on Glassfish
提问by Gabriel Sanmartin
I have a web services app developed using CXF 2.7.13. When I deploy on my local Tomcat instance, everything works, but when switching to a glassfish 4 instance, I get the following exception:
我有一个使用 CXF 2.7.13 开发的 Web 服务应用程序。当我在本地 Tomcat 实例上部署时,一切正常,但是当切换到 glassfish 4 实例时,出现以下异常:
java.lang.RuntimeException: Cannot create a secure XMLInputFactory
at org.apache.cxf.staxutils.StaxUtils.createXMLInputFactory(StaxUtils.java:315)
at org.apache.cxf.staxutils.StaxUtils.getXMLInputFactory(StaxUtils.java:265)
at org.apache.cxf.staxutils.StaxUtils.createXMLStreamReader(StaxUtils.java:1701)
at org.apache.cxf.interceptor.StaxInInterceptor.handleMessage(StaxInInterceptor.java:123)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:318)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access0(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:722)]]
From what I've read, it seems Woodstox api (woodstox-core-asl.jar) dependency from CXF is conflicting with glassfish's own version of the library. CXF uses Woodstox 4.4.1 while my glassfish 4 instance, I've checked, uses 4.1.2.
从我读到的内容来看,CXF 的 Woodstox api (woodstox-core-asl.jar) 依赖项与 glassfish 自己的库版本相冲突。CXF 使用 Woodstox 4.4.1,而我检查过的 glassfish 4 实例使用 4.1.2。
So my first attempt was to try and exclude CXF's dependency and declare my own Woodstox 4.1.2 dependency on my POM in order for everyone to use the same version. But this didn't solve the problem.
所以我的第一次尝试是尝试排除 CXF 的依赖项,并在我的 POM 上声明我自己的 Woodstox 4.1.2 依赖项,以便每个人都使用相同的版本。但这并没有解决问题。
I also tried straight up removing this dependency from my POM and checked it's not included in the WAR before deploying, also to no avail (same exception).
我还尝试直接从我的 POM 中删除此依赖项,并在部署之前检查它未包含在 WAR 中,也无济于事(相同的例外)。
I've only managed to deploy on glassfish by removing the .jar from the modules dir of the server, but this is somehting I cannot do on my production servers, by requirement.
我只能通过从服务器的模块目录中删除 .jar 来部署在 glassfish 上,但根据要求,这是我无法在生产服务器上执行的操作。
Is there anything else I can try?
还有什么我可以尝试的吗?
回答by Gabriel Sanmartin
It was so easy and I am ashamed I've spent 5 hours trying to solve with maven while it was on the official documentation page (http://cxf.apache.org/docs/application-server-specific-configuration-guide.html):
这太简单了,我很惭愧我花了 5 个小时试图用 maven 解决它在官方文档页面(http://cxf.apache.org/docs/application-server-specific-configuration-guide)上的问题。 html):
CXF Interceptors will not work in Glassfish without this sun-web.xml file to configure the classloader. By default, Glassfish will use Metro for JAX-WS services so the classloader needs to be configured to allow CXF libraries to provide JAX-WS services. The following sun-web.xml xml source was added to /WEB-INF to resolve this issue:
如果没有这个 sun-web.xml 文件来配置类加载器,CXF 拦截器将无法在 Glassfish 中工作。默认情况下,Glassfish 将 Metro 用于 JAX-WS 服务,因此需要配置类加载器以允许 CXF 库提供 JAX-WS 服务。将以下 sun-web.xml xml 源添加到 /WEB-INF 以解决此问题:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE sun-web-app PUBLIC
'-//Sun Microsystems, Inc.//DTD Application Server 9.0 Servlet
2.5//EN' 'http://www.sun.com/software/appserver/dtds/sun-web-app_2_5-0.dtd>
<sun-web-app> <class-loader delegate="false"/> </sun-web-app>
回答by aamir
i was facing the same issue but deploying it to web sphere, and after a research of few hours figured out the exact version for woodstox, i.e. below
我面临同样的问题,但将其部署到网络领域,经过几个小时的研究,找出了 woodstox 的确切版本,即下面
<dependency>
<groupId>org.codehaus.woodstox</groupId>
<artifactId>woodstox-core-asl</artifactId>
<version>4.2.0</version>
</dependency>
This https://bugs.eclipse.org/bugs/show_bug.cgi?id=409070link also helped to figured it out.
这个https://bugs.eclipse.org/bugs/show_bug.cgi?id=409070链接也有助于解决这个问题。
回答by SpaceTrucker
Please prefer to implement kelmers answerto not open security holes!
请更愿意实施kelmers 答案,不要打开安全漏洞!
Depending on the security requirements of your application you could use the org.apache.cxf.stax.allowInsecureParseroption.
根据您的应用程序的安全要求,您可以使用该org.apache.cxf.stax.allowInsecureParser选项。
From the documentation
从文档
There is a "org.apache.cxf.stax.allowInsecureParser" System Property that can be set to true to allow using an insecure parser, but that is HIGHLY not recommended
有一个“org.apache.cxf.stax.allowInsecureParser”系统属性可以设置为 true 以允许使用不安全的解析器,但强烈不推荐这样做
But I think you are better of consulting the glassfish documentation on how to override/exclude system libs for specific deployments.
但我认为您最好查阅关于如何覆盖/排除特定部署的系统库的 glassfish 文档。
