Xerces bypass fix startup error
Jeffrey Crawford
jeffreyc at ucsc.edu
Tue Nov 4 13:50:09 EST 2014
Hi Everyone,
Reading the recient security issue it sounds like we can be relitivly safe
if we stay on 2.4.2 but follow the instructions in the "Recommendations"
Section, however after modifying the internal.xml file
----------
<entry>
<key>
<value>http://apache.org/xml/properties/security-manager</value>
</key>
<bean id="shibboleth.XercesSecurityManager"
class="com.sun.org.apache.xerces.internal.util.SecurityManager"/>
</entry>
----------
We get the startup error in the catalina.out file:
----------
Caused by: javax.xml.parsers.FactoryConfigurationError: Provider
org.apache.xerces.jaxp.SAXParserFactoryImpl not found
----------
I've been poking around but have not found any config sections that looks
like it allows me to change that particular class from/to:
org.apache.xerces.jaxp.SAXParserFactoryImpl
com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl
However barring that will the tomcat configuration of not allowing more
than 100k POST sizes also fix the issue until we have a chance to get to
IdPv3? It wasn't clear if the two config changes needed to be made to
mitigate the issue or if the post size reduction would be enough for now.
Jeffrey E. Crawford
Both pilots and IT professionals require training and currency before
charging into clouds!
---------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141104/db76b23f/attachment.html
More information about the users
mailing list