The Apache Software Foundation > Apache XMLBeans
 

Welcome to XMLBeans

What is XMLBeans?

XMLBeans is a technology for accessing XML by binding it to Java types. XMLBeans provides several ways to get at the XML, including:

  • Through XML schema that has been compiled to generate Java types that represent schema types. In this way, you can access instances of the schema through JavaBeans-style accessors after the fashion of "getFoo" and "setFoo".

    The XMLBeans API also allows you to reflect into the XML schema itself through an XML Schema Object model.

  • A cursor model through which you can traverse the full XML infoset.
  • Support for XML DOM.

For a more complete introduction, see the XMLBeans Overview or Getting Started With XMLBeans.

For more details on XMLBeans see the XMLBeans Wiki pages or the XMLBeans documentation (the Documentation tab on this website).

CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0 (January 13, 2021)

Description:
When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser created by XMLBeans could be susceptible to XML External Entity (XXE) attacks.

This issue was fixed a few years ago but on review, we decided we should have a CVE to raise awareness of the issue.

Mitigation:
Affected users are advised to update to Apache XMLBeans 3.0.0 or above which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.

References: XML external entity attack

Release: Apache XMLBeans 4.0.0 (October 16, 2020)

Latest release files are available.

The Apache POI project has unretired the XMLBeans codebase since 3.0.0 and is maintaining it as a sub-project.

Some bug fixes (for a more complete list of changes see CHANGES.txt or JIRA).

Getting Started

Start off with your own stuff.

If you want to get right to it with your own XML schema and instance, follow these basic steps:

  1. Install XMLBeans.
  2. Compile your schema. Use scomp to compile the schema, generating and jarring Java types. For example, to create a employeeschema.jar from an employeesschema.xsd file:
    scomp -out employeeschema.jar employeeschema.xsd
  3. Write code. With the generated JAR on your classpath, write code to bind an XML instance to the Java types representing your schema. Here's an example that would use types generated from an employees schema:
    File xmlFile = new File("c:\employees.xml");
    // Bind the instance to the generated XMLBeans types.
    EmployeesDocument empDoc =
    EmployeesDocument.Factory.parse(xmlFile);
    // Get and print pieces of the XML instance.
    Employees emps = empDoc.getEmployees();
    Employee[] empArray = emps.getEmployeeArray();
    for (int i = 0; i < empArray.length; i++)
    {
    System.out.println(empArray[i]);
    }

Read a tutorial.

Read our tutorial to get a sense of XMLBeans basics.

Read documentation and other information.

On our documentation page, you'll find links to several topics that describe XMLBeans features and how to use them. You'll also find links to Javadoc reference on the XMLBeans API.

You can also check out the FAQ, which is updated with new answers as they're needed.

Don't forget the XMLBeans Wiki, which collects lots of valuable information.

Check out the samples.

Many of the XMLBeans features are illustrated in our samples.