XML – Based Injection in Spring

Last Updated : 15 Feb, 2024

In this article, we will be exploring XML-based Injection in Spring. and also creating a sample course management system using ApplicationContext that manages the complete lifecycle of a bean from its creation to destruction in a seamless manner.

XML-based injection

XML-based injection refers to security vulnerabilities that can occur in Spring applications when untrusted data is used within XML configuration files without proper validation or encoding.
Spring makes extensive use of XML files like beans.xml, applicationContext.xml and web.xml to define the core application context and wiring.
When the application initializes, these payloads would be parsed as valid XML by the underlying frameworks and libraries. This allows executing arbitrary code on the server, such as creating or invoking Spring beans.

How Spring uses XML configuration files:

Spring relies heavily on XML configuration files to define the application context and wiring between application components. The beans.xml file defines Spring beans and their dependencies. The applicationContext.xml file defines the overall application context.
The web.xml file configures web-specific aspects for Spring MVC apps. Any external data used within these files becomes vulnerable to XML injection.

Common places for XML configuration (beans, context, web):

Bean definitions: If names, properties etc. of Spring beans defined in beans.xml contain external input, it can lead to code execution.
Application context: Files set via contextConfigLocation in web.xml or properties are at risk if they contain external values.
Web configuration: Initializer classes, servlet definitions in web.xml can be abused if they include attacker values.

Step-by-Step Implementation of XML-Based Injection in Spring

Step 1: Create a new Spring Project

Go to Spring Initializr (https://start.spring.io/) and select Maven or Gradle project.
Add required dependencies like Web, JPA etc.
Download the generated project zip file.
Open the downloaded project zip file in Spring Tool Suite (STS) or your preferred IDE.

Project Creation

Project Structure:

Below is the structure of the Project.

Project Structure

Step 2: Model class [Course.java]

Java

package com.example.demo; 
  
public class Course { 
    private int id; 
    private String course_name; 
    private double course_fees; 
    private double course_duration; 
  
    public Course() 
    { 
        super(); 
        // TODO Auto-generated constructor stub 
    } 
  
    public Course(int id, String course_name, 
                  double course_fees, 
                  double course_duration) 
    { 
        super(); 
        this.id = id; 
        this.course_name = course_name; 
        this.course_fees = course_fees; 
        this.course_duration = course_duration; 
    } 
  
    public int getId() { 
      return id;  
    } 
  
    public void setId(int id) { 
      this.id = id;  
    } 
  
    public String getCourse_name() { 
      return course_name;  
    } 
  
    public void setCourse_name(String course_name) 
    { 
        this.course_name = course_name; 
    } 
  
    public double getCourse_fees() { 
      return course_fees;  
    } 
  
    public void setCourse_fees(double course_fees) 
    { 
        this.course_fees = course_fees; 
    } 
  
    public double getCourse_duration() 
    { 
        return course_duration; 
    } 
  
    public void setCourse_duration(double course_duration) 
    { 
        this.course_duration = course_duration; 
    } 
}

The above Course class defines the properties of a course like id, name, fees and duration. Getter and setter methods are provided to access and modify these properties.

Step 3: Create a Service class to manage all courses [CourseService.java]

Java

package com.example.demo; 
  
public class CourseService  
{ 
    private Course course; 
  
    public void setCourse(Course course) 
    { 
        this.course = course; 
    } 
    public void addNewCourse(Course course) 
    { 
        // logic of add new course 
    } 
}

The above CourseService class acts as a service to manage course operations. It contains a setCourse() method to inject a Course object dependency.
addNewCourse() method uses this injected Course object to add a new course, defining dependency injection.

Step 4: Configuration file for Spring beans [applicationContext.xml]

XML

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> 
  
    <bean id="course" class="com.example.demo.Course"/> 
  
    <bean id="courseService" class="com.example.demo.CourseService"> 
          
        <property name="course" ref="course"/> 
    </bean> 
  
</beans>

The above XML configuration file defines Spring beans for the Course and CourseService classes, injecting the Course dependency into the CourseService bean.

Step 5: Main Class to run the code

Java

package com.example.demo; 
  
import org.springframework.boot.SpringApplication; 
import org.springframework.boot.autoconfigure.SpringBootApplication; 
import org.springframework.context.ApplicationContext; 
import org.springframework.context.support.ClassPathXmlApplicationContext; 
  
@SpringBootApplication
public class XmlBasedApplication  
{ 
    public static void main(String[] args) 
    { 
        ApplicationContext context 
            = new ClassPathXmlApplicationContext( 
                "applicationContext.xml"); 
        CourseService courseService 
            = (CourseService)context.getBean( 
                "courseService"); 
  
        // Adding New Course 
        Course course = new Course(); 
        course.setId(1); 
        course.setCourse_name("Java"); 
        course.setCourse_duration(7); 
        course.setCourse_fees(40000); 
  
        courseService.addNewCourse(course); 
        System.out.println("Course Name:"
                           + course.getCourse_name()); 
        System.out.println("Course Duration:"
                           + course.getCourse_duration() 
                           + "Months"); 
        System.out.println("Course Fees:"
                           + course.getCourse_fees()); 
    } 
}

Output:

For better understanding refer to the below output video.

Output Video

Suggest improvement

Spring Boot - Interceptor

How to Configure Java Priority Queue to Handle Duplicate Elements?

Share your thoughts in the comments

XML – Based Injection in Spring