[Geoserver-users] WMS broken after GeoServer Update (SAXException)

Jean-Christophe

De : Calliess Daniel Ing. Daniel.Calliess@anonymised.com
Envoyé : lundi 22 avril 2024 15:00
À : ‘geoserver-users’ geoserver-users@anonymised.comet
Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

Jean-Christophe

De : Jean-Christophe Bastin
Envoyé : lundi 22 avril 2024 16:13
À : Calliess Daniel Ing. Daniel.Calliess@anonymised.com; ‘geoserver-users’ geoserver-users@lists.sourceforge.net
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello,

I was about to write an equivalent message to the community for the same error.

In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”.

I’m really interested to have also some support on this point.

Many thanks.

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>
Envoyé : lundi 22 avril 2024 15:00
À : ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

From: Jean-Christophe Bastin jcbastin@anonymised.com
Sent: Montag, 22. April 2024 16:41
To: Calliess Daniel Ing. Daniel.Calliess@anonymised.com; ‘geoserver-users’ geoserver-users@lists.sourceforge.net
Subject: RE: WMS broken after GeoServer Update (SAXException)

Hello Daniel,

I found a solution. I don’t know if this is the same behavior than your parameter DENTITY_RESOLUTION_ALLOWLIST=*.

In Configuration, Global, you have “Unlimited resolution of XML external entities (security risk)” (this is translated from french, sorry if it’s not exactly the same words).

After checked and applied changes, the error is gone when consulting layers.

BUT, I see the “security risk” with this parameter, and I don’t know what is it exactly.

If someone can explain what is it talking about, I’ll appreciate it

Many thanks.

Jean-Christophe

De : Jean-Christophe Bastin
Envoyé : lundi 22 avril 2024 16:13
À : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>; ‘geoserver-users’ <geoserver-users@anonymised.com.sourceforge.net>
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello,

I was about to write an equivalent message to the community for the same error.

In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”.

I’m really interested to have also some support on this point.

Many thanks.

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>
Envoyé : lundi 22 avril 2024 15:00
À : ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

Jean-Christophe

De : Calliess Daniel Ing. Daniel.Calliess@anonymised.com
Envoyé : lundi 22 avril 2024 17:50
À : Jean-Christophe Bastin jcbastin@anonymised.com; ‘geoserver-users’ geoserver-users@lists.sourceforge.net
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello Jean-Christophe,

when users upload XML documents to your server those files can contain links to other documents (f.e. for namespace or schema definitions). An attacker could send a document containing links to files on the server’s disk and somehow cause the server to leak this information I think. Or include links to ressources on the internet that lead GeoServer to misbehave. More specific information might come from the GeoServer developers. See also https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities in the documenation.

So I’m trying to avoid weakening the External Entity settings if possible. And also would suggest you use the “-DENTITY_RESOLUTION_ALLOWLIST=*” parameter (see https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) for the moment because it only allows access to online ressources, not to local files on the server.

Regards

Daniel

From: Jean-Christophe Bastin <jcbastin@anonymised.com>
Sent: Montag, 22. April 2024 16:41
To: Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>; ‘geoserver-users’ <geoserver-users@anonymised.comforge.net>
Subject: RE: WMS broken after GeoServer Update (SAXException)

Hello Daniel,

I found a solution. I don’t know if this is the same behavior than your parameter DENTITY_RESOLUTION_ALLOWLIST=*.

In Configuration, Global, you have “Unlimited resolution of XML external entities (security risk)” (this is translated from french, sorry if it’s not exactly the same words).

After checked and applied changes, the error is gone when consulting layers.

BUT, I see the “security risk” with this parameter, and I don’t know what is it exactly.

If someone can explain what is it talking about, I’ll appreciate it

Many thanks.

Jean-Christophe

De : Jean-Christophe Bastin
Envoyé : lundi 22 avril 2024 16:13
À : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>; ‘geoserver-users’ <geoserver-users@anonymised.com.sourceforge.net>
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello,

I was about to write an equivalent message to the community for the same error.

In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”.

I’m really interested to have also some support on this point.

Many thanks.

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>
Envoyé : lundi 22 avril 2024 15:00
À : ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

From: Jean-Christophe Bastin jcbastin@anonymised.com
Sent: Dienstag, 23. April 2024 12:05
To: Calliess Daniel Ing. Daniel.Calliess@anonymised.com; ‘geoserver-users’ geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hello Daniel,

Thank you very much for the details.

As you advice, I changed my configuration to not check this global setting, and set the parameter ENTITY_RESOLUTION_ALLOWLIST=* in the web.xml of GeoServer.

It looks like the error message is gone in this way.

Regards,

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>
Envoyé : lundi 22 avril 2024 17:50
À : Jean-Christophe Bastin <jcbastin@anonymised.com>; ‘geoserver-users’ <geoserver-users@anonymised.com.net>
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello Jean-Christophe,

when users upload XML documents to your server those files can contain links to other documents (f.e. for namespace or schema definitions). An attacker could send a document containing links to files on the server’s disk and somehow cause the server to leak this information I think. Or include links to ressources on the internet that lead GeoServer to misbehave. More specific information might come from the GeoServer developers. See also https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities in the documenation.

So I’m trying to avoid weakening the External Entity settings if possible. And also would suggest you use the “-DENTITY_RESOLUTION_ALLOWLIST=*” parameter (see https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) for the moment because it only allows access to online ressources, not to local files on the server.

Regards

Daniel

From: Jean-Christophe Bastin <jcbastin@anonymised.com>
Sent: Montag, 22. April 2024 16:41
To: Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>; ‘geoserver-users’ <geoserver-users@anonymised.comforge.net>
Subject: RE: WMS broken after GeoServer Update (SAXException)

Hello Daniel,

I found a solution. I don’t know if this is the same behavior than your parameter DENTITY_RESOLUTION_ALLOWLIST=*.

In Configuration, Global, you have “Unlimited resolution of XML external entities (security risk)” (this is translated from french, sorry if it’s not exactly the same words).

After checked and applied changes, the error is gone when consulting layers.

BUT, I see the “security risk” with this parameter, and I don’t know what is it exactly.

If someone can explain what is it talking about, I’ll appreciate it

Many thanks.

Jean-Christophe

De : Jean-Christophe Bastin
Envoyé : lundi 22 avril 2024 16:13
À : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>; ‘geoserver-users’ <geoserver-users@anonymised.com.sourceforge.net>
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello,

I was about to write an equivalent message to the community for the same error.

In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”.

I’m really interested to have also some support on this point.

Many thanks.

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@anonymised.com>
Envoyé : lundi 22 avril 2024 15:00
À : ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

–
Jody Garnett

–
Jody Garnett

docker run -it -p 8085:8080 --env INSTALL_EXTENSIONS=true --env STABLE_EXTENSIONS=“printing” docker.osgeo.org/geoserver:2.25.0

And then clicking on any layer preview.

Regards

Moritz

Mit freundlichen Grüßen
i.A.
Moritz Maneke

Anwendungsentwicklung
GIS Consult GmbH,
Gesellschaft für angewandte geographische Informationssysteme
Schultenbusch 3, 45721 Haltern am See

Telefon: +49 2364 92 18 68
E-Mail: moritz.maneke@…12023…

Datenschutzerklärung
Geschäftsführer: Dietmar Hauling, Thomas Hermes, Christian Vogt
Handelsreg.: Gelsenkirchen HRB 5780

Von: Jody Garnett <jody.garnett@…84…>
Gesendet: Montag, 17. Juni 2024 18:25
An: Calliess Daniel Ing. <Daniel.Calliess@…8565…>
Cc: geoserver-users geoserver-users@lists.sourceforge.net
Betreff: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Out of curiosity can you share the SLD file that did not validate? I am curious if it had anything unusual and/or missing.

I am sorry about the “Entity resolution disallowed for null” message not being helpful, when I wrote that I assumed every external entity would have a name - but found out later that some things like DTD Entities do not have a name.

What version of Java are you using?

–

Jody Garnett

On Apr 22, 2024 at 6:00:29 AM, Calliess Daniel Ing. <Daniel.Calliess@…8565…> wrote:

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

---

Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

• Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
• The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

From: Jody Garnett <jody.garnett@…84…>
Sent: Montag, 17. Juni 2024 18:13
To: Calliess Daniel Ing. <Daniel.Calliess@…8499…>
Cc: Jean-Christophe Bastin <jcbastin@…7771…>; geoserver-users geoserver-users@lists.sourceforge.net
Subject: [EXTERN!]: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hey folks,

I added the ENTITY_RESOLUTION_ALLOWLIST option for a long time but nobody was noticing very much! I am glad you found the setting and have been working though how it works.

You are correct that it is used to mitigate the service side request forgery attacks. Some software is very susceptible to being attacked (like with headers and stuff) and we did not wish GeoServer to be the cause of trouble.

Since it was enabled by default we made some more improvements for the 2.25.1 release which are mentioned in the release notes.

The use of ENTITY_RESOLUTION_ALLOWLIST=* would allow GeoServer to access any http location. The External Entity setting security risk allows any location on disk to be accessed (which is required for things like application schema where you have your schema files in the data directory).

It is preferable to host your schema somewhere public, like maybe the geoserver/www folder. And you can list additional locations in the ENTITY_RESOLUTION_ALLOWLIST value.

Q: Did any of you find the documentation?

• https://docs.geoserver.org/latest/en/user/production/config.html#external-entities-resolution
• https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities

Q: The “null” thing was a surprise to me - it was when the external entity was a DTD (and thus did not have a name). The error message assumed everything would have a name and that the name would be a useful way to tell what could not be found in your document.

–

Jody Garnett

On Jun 17, 2024 at 5:22:37 AM, Calliess Daniel Ing. <Daniel.Calliess@…8565…> wrote:

Hello Jean-Christophe,

I just upgraded to V2.25.1 and the error is gone, so no more workaround is necessary.

Regards

Daniel

From: Jean-Christophe Bastin <jcbastin@…7771…>
Sent: Dienstag, 23. April 2024 12:05
To: Calliess Daniel Ing. <Daniel.Calliess@…8499…>; ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Subject: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hello Daniel,

Thank you very much for the details.

As you advice, I changed my configuration to not check this global setting, and set the parameter ENTITY_RESOLUTION_ALLOWLIST=* in the web.xml of GeoServer.

It looks like the error message is gone in this way.

Regards,

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@…8499…>
Envoyé : lundi 22 avril 2024 17:50
À : Jean-Christophe Bastin <jcbastin@…7771…>; ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello Jean-Christophe,

when users upload XML documents to your server those files can contain links to other documents (f.e. for namespace or schema definitions). An attacker could send a document containing links to files on the server’s disk and somehow cause the server to leak this information I think. Or include links to ressources on the internet that lead GeoServer to misbehave. More specific information might come from the GeoServer developers. See also https://docs.geoserver.org/latest/en/user/configuration/globalsettings.html#config-globalsettings-external-entities in the documenation.

So I’m trying to avoid weakening the External Entity settings if possible. And also would suggest you use the “-DENTITY_RESOLUTION_ALLOWLIST=*” parameter (see https://docs.geoserver.org/latest/en/user/production/config.html#production-config-external-entities) for the moment because it only allows access to online ressources, not to local files on the server.

Regards

Daniel

From: Jean-Christophe Bastin <jcbastin@…7771…>
Sent: Montag, 22. April 2024 16:41
To: Calliess Daniel Ing. <Daniel.Calliess@…8499…>; ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Subject: RE: WMS broken after GeoServer Update (SAXException)

Hello Daniel,

I found a solution. I don’t know if this is the same behavior than your parameter DENTITY_RESOLUTION_ALLOWLIST=*.

In Configuration, Global, you have “Unlimited resolution of XML external entities (security risk)” (this is translated from french, sorry if it’s not exactly the same words).

After checked and applied changes, the error is gone when consulting layers.

BUT, I see the “security risk” with this parameter, and I don’t know what is it exactly.

If someone can explain what is it talking about, I’ll appreciate it

Many thanks.

Jean-Christophe

De : Jean-Christophe Bastin
Envoyé : lundi 22 avril 2024 16:13
À : Calliess Daniel Ing. <Daniel.Calliess@…8499…>; ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : RE: WMS broken after GeoServer Update (SAXException)

Hello,

I was about to write an equivalent message to the community for the same error.

In my case, I’m updating from GeoServer 2.10.0 to 2.25.0. I had many issues that I was able to manage by myself. But the last issue (I hope) I see now is for any layer I want to preview, or access to show, I get also a service exception “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”.

I’m really interested to have also some support on this point.

Many thanks.

Jean-Christophe

De : Calliess Daniel Ing. <Daniel.Calliess@…8499…>
Envoyé : lundi 22 avril 2024 15:00
À : ‘geoserver-users’ <geoserver-users@lists.sourceforge.net>
Objet : [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

---

Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

• Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
• The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

From: Maneke, Moritz <Moritz.Maneke@…12023…>
Sent: Dienstag, 18. Juni 2024 08:36
To: Jody Garnett <jody.garnett@…84…>; Calliess Daniel Ing. <Daniel.Calliess@…8499…>
Cc: geoserver-users geoserver-users@lists.sourceforge.net
Subject: [EXTERN!]: AW: [Geoserver-users] WMS broken after GeoServer Update (SAXException)

---

Der Mailanhang wurde automatisiert auf Sicherheitsrisiken geprueft, etwaige Schadsoftware wurde aus dem Dokument (Mail und Beilagen) entfernt. (Beispiel: enthaltene Links zu Webseiten, aktive Inhalte wie z.B.: Makros wurden entfernt)!
Es wurden jedoch keine Anhaenge entfernt!

Bei Fragen wenden Sie sich bitte an den Helpdesk DW 4000 mail: helpdesk@…8565…
CP Sandblast

---

Hello everybody,

i also encountered those errors when upgrading from 2.20.4 to 2.25.0

From my observations the error occurs when using extensions that contain the xercesImpl-*.jar library, like Printing or GeoFence.

The error can very easily be reproduced by running the official docker image plus printing extension:

docker run -it -p 8085:8080 --env INSTALL_EXTENSIONS=true --env STABLE_EXTENSIONS=“printing” docker.osgeo.org/geoserver:2.25.0

And then clicking on any layer preview.

Regards

Moritz

Mit freundlichen Grüßen
i.A.
Moritz Maneke

Anwendungsentwicklung
GIS Consult GmbH,
Gesellschaft für angewandte geographische Informationssysteme
Schultenbusch 3, 45721 Haltern am See

Telefon: +49 2364 92 18 68
E-Mail: moritz.maneke@…12023…

Datenschutzerklärung
Geschäftsführer: Dietmar Hauling, Thomas Hermes, Christian Vogt
Handelsreg.: Gelsenkirchen HRB 5780

Von: Jody Garnett <jody.garnett@…84…>
Gesendet: Montag, 17. Juni 2024 18:25
An: Calliess Daniel Ing. <Daniel.Calliess@…8565…>
Cc: geoserver-users <geoserver-users@lists.sourceforge.net>
Betreff: Re: [Geoserver-users] WMS broken after GeoServer Update (SAXException)

Out of curiosity can you share the SLD file that did not validate? I am curious if it had anything unusual and/or missing.

I am sorry about the “Entity resolution disallowed for null” message not being helpful, when I wrote that I assumed every external entity would have a name - but found out later that some things like DTD Entities do not have a name.

What version of Java are you using?

–

Jody Garnett

On Apr 22, 2024 at 6:00:29 AM, Calliess Daniel Ing. <Daniel.Calliess@…8565…> wrote:

Hi,

I updated my GeoServer (Tomcat 9/Windows Server) from 2.24.2 to 2.25.0 and now I can’t preview WMS layers. The error message is: “java.lang.reflect.UndeclaredThrowableExceptionorg.xml.sax.SAXException: Entity resolution disallowed for null”. The same message is shown when I try to validate an SLD stylesheet. I copied the full stack trace to a file and attached it to this message. I also reverted back to the data dir included in the 2.25.0 release and can reproduce the error f.e. with the ‘point’ style.

I now found out that when I’m starting GeoServer with the -DENTITY_RESOLUTION_ALLOWLIST=* parameter, the error is gone. Although this parameter shouldn’t be necessary because the styles are only containing references to www.opengis.net and www.w3.org which are in the default list of allowed domains for entity expansion according to the documentation.

The geoserver log shows a lot of “WARN [geotools.xsd] - Sax parser property ‘http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit’ not recognized. Xerces version is incompatible.” messages. Might there be a connection to the above issue?

Am I doing something wrong?

Thank you and best regards
Daniel

---

Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

• Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
• The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–
Jody Garnett