How to disable XXE in Quarkus Apache CXF Version 3.4.5? - jaxb

I am using
<dependency>
<groupId>io.quarkiverse.cxf</groupId>
<artifactId>quarkus-cxf</artifactId>
<version>0.11.0</version>
</dependency>
and as far as I know Apache CXF uses as XML Parser JAXB . so far so good.
In my company we use Quarkus on top of Apache CXF .
QuarkusClientFactoryBean quarkusClientFactoryBean =
new QuarkusClientFactoryBean(List.of(objectFactories));
I need to prevent attacks . So I want disable XXE and also limit number of read XML lines.
Somehow I do not know how to do this in quarkus. In normal JAXB it would be easy.
Can someone help me ?

Related

Using com.sun.faces with Jakarta EE

I'm trying to upgrade a legacy Java EE application to Jakarta EE 8 on a Wildfly server. Most of the upgrade has gone smoothly since 8 doesn't swap the package names to jakarta yet. However, some of our code is using classes from Oracle's com.sun.faces package. These classes appear to be included in the Jakarta EE Faces API specification, but they are not included in our project when I use the following Maven dependency:
<dependency>
<groupId>jakarta.faces</groupId>
<artifactId>jakarta.faces-api</artifactId>
<version>2.3.2</version>
<scope>provided</scope>
</dependency>
To get these in the classpath, I have to use the Oracle dependency:
<dependency>
<groupId>com.sun.faces</groupId>
<artifactId>jsf-impl</artifactId>
<version>2.2.20</version>
<scope>provided</scope>
</dependency>
Obviously, we want to ditch using this package altogether at some point, but I was hoping there was a way to include this in our Jakarta migration.
The com.sun.faces.* is not part of Jakarta EE API. It's part of the Jakarta EE implementation. More precisely, it's the actual JSF implementation. Its name is "Mojarra".
You should indeed not need to have a dependency on it in your pom.xml in order to be JEE-implementation-independent (i.e. in order to be able to deploy your webapp to any JEE-compatible server without any code changes). If the code however doesn't compile when you remove it, then you apparently have somewhere a hard dependency on it, e.g. a hardcoded import or superclass referring to com.sun.faces.* package. This is indeed usually not correct.
The solution should be straight forward:
Remove that Mojarra dependency
Find all compilation errors
Fix them one by one by using the standard JSF API approach
If no one could be found, research or ask on Stack Overflow

Dynamically changing log level in log4j version 1 and bridge to version 2

I'm currently working on an application which wants to dynamically change the log level of a next java application (is running on the localhost). This external application uses log4j version 1.2.16. I want to use jmx, find all "LoggerConfigAdminMBean" and change level.
In specification (visit https://logging.apache.org/log4j/2.0/manual/jmx.html) is mentioned that it is possible with the log4j 2.
Because I do not want to do much changes in the external application, so I only changed log4j1.2.16.jar by log4j1.2bridge.jar (visit https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html). But the result of this change is empty list of LoggerConfigAdminMBean.
Is the Jmx MBeans feature completely activated by using log4j 1.2 bridge jar and is there some way to get list of LoggerConfigAdminMBean full or is it possible only by migration from log4j1 to log4j2 version?
Thank you very much for the answers.
You should use these 2 dependencies:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.11.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.11.1</version>
</dependency>
And adapt log4j.properties, which must be placed in the project´s classpath. See: https://logging.apache.org/log4j/2.x/manual/configuration.html#Properties

what all are the jar dependencies for apache POI for read and write to excel or xls?

i am getting runtime with error like java.lang.NoClassDefFoundError: org/apache/xmlbeans/XmlObject because of missing xmlbeans.jar dependency.
i need to work with XLS, DOC and .PPT formats.
Can somebody suggest the important JARs for the apache POI?
The dependencies of Apache POI are fully described on the Apache POI website here.
That table (which I won't reproduce here as you'll want to check the latest version on the POI website) details, for each component you want to use, what the dependencies are.
If you download the latest Apache POI binary release (.tar.gz or .zip), you'll find all the dependency jars you need contained within that. Check the components and dependencies page to see which ones you'll need for your use.
Alternately, manually handling dependencies is rather 1990s. You'd be much better off using a tool like Gradle or Apache Maven to handle it for you, then they'll pick up the project-supplied metadata to grab the dependencies you need.
Detail of the Maven / Gradle artifacts for Apache POI are also given on the Components page on the POI website
For Apache POI you need these two combination.
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>3.12</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>3.12</version>
</dependency>

spring integration sftp java dsl : cannot resolve method handleWithAdapter

I'm follow this docs this docs
and add maven depency:
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-sftp</artifactId>
<version>5.0.0.M6</version>
</dependency>
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-java-dsl</artifactId>
<version>1.2.3.RELEASE</version>
</dependency>
But it cannot resolve these method:
does I miss anything?
Starting with Spring Integration 5.0, whole Java DSL project is merged to the core project. So, you don't need that extra spring-integration-java-dsl dependency anymore. More over it isn't compatible with Spring Integration 5.0.
There is no any more such a handleWithAdapter() since there is no single entry point because all the namespace factories are distributed between appropriate modules.
So, right now you have to do this:
.handle(Sftp.outboundGateway(...))
See Migration Guide for more info.
And also follow back to the past from release blog post.

Is it possible (and viable) to use Oracle ADF alongside JSF2 with Facelets?

I am searching the web for information regarding the usage of Oracle ADF as a component suite (and not as a development framework), alongside vanilla JSF (2.0).
I am working with a client that insists the solution uses the Oracle ADF UI components. The rest of the Fusion Middleware, however, can be completely skipped for all he cares. Therefore, I'd like to stay as close to the Java EE-JSF2 blueprints as possible, and only resort to ADF as a UI component library, as one would with PrimeFaces, for example.
So, the question - is it possible? Does ADF imposes limitations/dependencies that would prevent this scenario? Can we use it solely as a component library, or must we depend on its heavyweight framework to make them work?
It does not work; at least, not as one would expect. In short: ADF does indeed support JSF2 and Facelets, and they coexist nicely in a single application. As long as you don't mix them together.
I intended to use ADF as a component library, in a way similar to how one uses PrimeFaces or RichFaces: you add the correct dependencies, config what needs to be configured, and you're good to go. When Oracle says that ADF supports JSF2 and Facelets, this is the scenario that one would assume.
To start, you cannot use ADF components outside of a <af:document /> tag (or trinidad's counterpart); which means that content outside this tag is ignored, reducing the ability to use Facelets to a minimum. So, you'll hardly have any Facelets code on the same page where ADF components reside.
JSF + CDI integration is only available through the Mojarra implementation. Using MyFaces (the base for the current ADF version), one might make it work through updating the MyFaces jars and adding CODI, but it does not work out-of-the-box and I did not take the time to investigate it further.
To add to that, for layout management, you're stuck with the ADF way (through pageTemplateDef and pageTemplate tags), since mixing in Facelets is difficult due to the dependency on the document tag. So you see, Facelets support is there, "standard" JSF2 pages can exist in a ADF application - but to use ADF's components, you need to be in an ADF page.
To anyone that might be interested, once you populate your local maven repository using JDeveloper (as per the techniques suggested on the comments in the original question), the minimal dependencies to have ADF UI components in a web application (war) that can be run on WebLogic 12c or Glassfish with ADF essentials, are the following:
<dependency>
<groupId>javax</groupId>
<artifactId>javaee-web-api</artifactId>
<version>6.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.oracle.adf</groupId>
<artifactId>trinidad-api</artifactId>
<version>12.1.2-0-0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.oracle.adf</groupId>
<artifactId>trinidad-impl</artifactId>
<version>12.1.2-0-0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.oracle.adf</groupId>
<artifactId>adf-richclient-api-11</artifactId>
<version>12.1.2.0.40.66.34</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.oracle.adf</groupId>
<artifactId>adf-richclient-impl-11</artifactId>
<version>12.1.2.0.40.66.34</version>
<scope>provided</scope>
</dependency>
You'll also need to add several other configuration files:
WEB-INF/adfc-config.xml
META-INF/adf-config.xml
META-INF/connections.xml
META-INF/wsm-assembly.xml
Along with further ADF boilerplate configuration on faces-config.xml and web.xml files.
So, the answer so far is:
Is it possible (to use ADF as a component library)? Yes.
Are there any limitations? There's no CDI (out of the box), and limited Facelets support. JSF2 ajax capabilities cannot be used within a ADF document - you must resort to the ADF partial page rendering, but JSF2 custom components and any ClientBehavior you may code work fine.
Is it worth the hassle? No.
Couple of months ago, Oracle ADF was supporting only JSF 1.2.
But with the release of JDeveloper 12c there are lots of new features and improvements over the IDE and over the Oracle ADF, for which there is JSF 2.0 Support now.
So, to answer your question - yes, you can use Oracle ADF with JSF2/Facelets.
If you just want a WAR through Maven do this (In JDeveloper 12c):
New Application -> Custom Application
Add the ADF Faces technology (shuttle to the right).
In the last step of the wizard choose "Use Maven".

Resources