我引用Prevent XXE Attack with JAXB此链接,
但仍然是 kiwan 工具,在xif.createXMLStreamReader(soapHeader.getsource())
行中向我显示非常严重的漏洞,因此,如果有人知道,请帮助我。
我的代码如下:
SoapHeader soapHeader = ((SoapMessage) message).getsoapHeader();
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD,false);
XMLStreamReader soapHeaderXsr = xif.createXMLStreamReader(soapHeader.getsource());
unmarshaller.unmarshal(soapHeaderXsr);
谢谢。