CXF 3.1.12 Cannot create a secure XMLInputFactory

Question

I'm getting a "Cannot create a secure XMLInputFactory" error when sending a request with SoapUI, i tried some of the stackoverflow mentioned solutions like adding woodstox and stax2-api, but the issue persists

from build.gradle:

compile 'org.codehaus.woodstox:woodstox-core-asl:4.4.1'
compile 'org.codehaus.woodstox:stax2-api:4.0.0'

compile 'org.apache.cxf:cxf-rt-frontend-jaxws:3.1.12'
compile 'org.apache.cxf:cxf-rt-ws-security:3.1.12'
compile 'org.apache.cxf:cxf-rt-transports-http:3.1.12'

it was working before with woodstox-core, but started to throw the error

compile 'com.fasterxml.woodstox:woodstox-core:5.0.3'

from previous solutions from version 3 CXF does not even require woodstox, i tried also without woodstox.

Could it be any other dependency updated like axis2? What should be my next steps to find out? thanks

Note: using tomcat 8.5.19

Answer 1

So solution found, at SaxUtils.java as someone mentioned there is a

factory = XMLInputFactory.newInstance();

Where we can see from where it is loaded.

There was actually a conflict in axis2 so by excluding neethi

compile('org.apache.axis2:axis2-transport-http:1.5.1') {
    exclude group: 'javax.servlet', module: 'servlet-api'
    exclude module: 'XmlSchema'
    exclude group: 'org.apache.neethi', module: 'neethi'
    exclude group: 'org.codehaus.woodstox'
}
runtime ('org.apache.axis2:axis2-transport-local:1.5.1'){
    exclude group: 'org.codehaus.woodstox', module: 'wstx-asl'
}

the conflict was gone.

Answer 2

I would like to confirm with 'dotmindlabs' on the issue with Axis2. I also used a few packages from Axis2 whilst implementing Apache CXF 3.2.1. I had the same problem "Cannot create a secure XMLInputFactory"

The issue was strictly to do with the additional libraries Axis2 Implements.

I have provided below the dependency (Maven) changes required to resolve this issue.

  <!-- https://mvnrepository.com/artifact/org.apache.axis2/axis2-transport-http -->
    <dependency>
        <groupId>org.apache.axis2</groupId>
        <artifactId>axis2-transport-http</artifactId>
        <version>1.6.2</version>
        <exclusions>
            <exclusion>
                <groupId>org.apache.ws.commons.schema</groupId>
                <artifactId>XmlSchema</artifactId>
            </exclusion>
            <exclusion>
                <groupId>javax.servlet</groupId>
                <artifactId>servlet-api</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.apache.neethi</groupId>
                <artifactId>neethi</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.codehaus.woodstox</groupId>
                <artifactId>wstx-asl</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

I hope this helps people in the future who run into this problem.