RFR: 8330542: Add jaxp-strict.properties in preparation for a secure by default configuration [v10]

[Sean Mullan]

On Sun, 19 May 2024 05:01:32 GMT, Joe Wang <joehw at openjdk.org> wrote:

>> Add two sample configuration files:
>> 
>>   jaxp-strict.properties: used to set strict configuration, stricter than jaxp.properties in previous versions such as JDK 22
>> 
>>>   jaxp-compat.properties: used to regain compatibility from any more restricted configuration than previous versions such as JDK 22
>> 
>> Updated on 5/16/2024
>> 
>> Design change:
>> The design is changed to include in the JDK two configuration files that are the default jaxp.properties and jaxp-strict.properties, instead of three, dropping jaxp-compat.properties.
>> 
>> Updated on 5/18/2024
>> 
>> Withdraw changes to jaxp.properties. The original idea was to match jaxp-strict.properties with regard to the properties. However, that change impact the configuration process, resulting in tests that verify the process to fail.
>
> Joe Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   withdraw changes to jaxp.properties. The configuration process has not changed, changing the default configuration would result in many failures that test the process.

src/java.xml/share/classes/module-info.java line 444:

> 442:  *
> 443:  * Deploying with this configuration prevents processors from unknowingly making
> 444:  * outbound network connections to fetch DTDs, or process XML that makes use of

s/process/processing/

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1606737006