XMLReader secure processing
Joe Wang
huizhe.wang at oracle.com
Mon Oct 24 20:51:24 UTC 2016
On 10/24/16, 10:40 AM, Bernd wrote:
> Hello,
>
> I am somewhat lost on how to enable or control the secure processing in the
> XMLReader.
>
> You can use XMLConstants.FEATURE_SECURE_PROCESSING and/or
> XMLConstants.ACCESS_EXTERNAL_{DTD,SCHEMA} only on the SAXParserFactory, but
> not XMLReader(Factory).
>
> Is this an oversight or am I missing something?
It's not part of the JAXP API (javax.xml.*), but was included as
endorsed. I assume XMLReaderFactory was included in the JAXP API package
for compatibility since it existed before JAXP API was created, and that
was probably why it didn't have the same support in terms of features.
Note that, in JDK 9, XMLReaderFactory is deprecated. Users are
encouraged to use SAXParserFactory instead.
>
> This seems to be a work around (at least for Oracle RI):
This is therefore not a "work-around", but the supported API.
>
> SAXParserFactory spf = SAXParserFactory.newInstance();
> spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
>
> SAXParser parser = spf.newSAXParser();
> System.out.println("external dtd: " +
> parser.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
> XMLReader reader = parser.getXMLReader();
>
> In this case the protocols is "all" for FSP=false and "" for FSP=true.
ACCESS_* is "all" by default, even though FSP is true. They will be set
to "" or not allow external access if FSP is explicitly set.
>
> XMLConstants Javadoc does not talk about XMLReader, hm.
>
>
> BTW: while investigating I noticed the changed default for secure
> processing is not reflected by the comment:
>
> com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl.java
> /**
> L64* State of the secure processing feature, initially<code>false</code>
> */
> private boolean fSecureProcess = true;
>
>
> http://hg.openjdk.java.net/jdk9/jdk9/jaxp/file/6d980e959726/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java#l64
Thanks, will get that fixed in the next bug fix.
Best,
Joe
>
>
> Gruss
> Bernd
More information about the core-libs-dev
mailing list