RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v8]

[Alan Bateman]

On Thu, 16 May 2024 22:20:39 GMT, Joe Wang <joehw at openjdk.org> wrote:

>> Add two sample configuration files:
>> 
>>   jaxp-strict.properties: used to set strict configuration, stricter than jaxp.properties in previous versions such as JDK 22
>> 
>>>   jaxp-compat.properties: used to regain compatibility from any more restricted configuration than previous versions such as JDK 22
>> 
>> Updated 5/16/2024
>> 
>> Design change:
>> The design is changed to include in the JDK two configuration files that are the default jaxp.properties and jaxp-strict.properties, instead of three, dropping jaxp-compat.properties.
>
> Joe Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   remove jaxp-compat.properties from the list

src/java.xml/share/classes/module-info.java line 443:

> 441:  *     </ul>
> 442:  *
> 443:  * This file allows deployments to test the more secure/strict behavior,

I think it might be better to reduce this paragraph down to just say something like "Deploying with this configuation prevents processors from unknowingly making outbound network connections to fetch DTDs, or process XML that makes use of extension functions."

We could say that a future JDK release may use a strict configuration by default but that opens the door to questions as to whether the system property is needed, whether jaxp.propeteries is going away, so maybe better to leave that out for now.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1604418621