Hi all,

I have done several tests using a sample SPring based REST application and unmarshalling XML messages with Spring OXM through the RequestBody annotations. I found out that if SpringOXM is using JAXB or Castor (I did not try the rest) the default unmarshalling behaviour is to resolve external entities and so it makes every single Spring based REST api vulnerable to Xml External Entity injection. I tried to set up the underlying parser to disable entity resolution but I could not. It seems theres no way to do it with JAXB and Castor has a new property exposed through the Spring OXM castorMarshaller that allows to set a entity resolver. But setting it to null does not change the behaviour.
So before openeing a bug for this, I preferred to ask the forum just in case Im not aware of a way to disable entity resolution. Is there any?