RFR: 8330542: Add two JAXP configuration files in preparation for a secure by default configuration [v6]

Alan Bateman alanb at openjdk.org
Wed May 8 06:35:53 UTC 2024


On Wed, 1 May 2024 22:33:29 GMT, Joe Wang <joehw at openjdk.org> wrote:

>> Add two sample configuration files:
>> 
>>   jaxp-strict.properties: used to set strict configuration, stricter than jaxp.properties in previous versions such as JDK 22
>> 
>>   jaxp-compat.properties: used to regain compatibility from any more restricted configuration than previous versions such as JDK 22
>
> Joe Wang has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Add implNote to java.xml module summary; Update make file; Update the config files; Add test.

Adding jaxp-strict.properties make sense as it allows developers to identify issues that will arise in the future when XML processing is secure by default. If they deploy with -Djava.xml.config.file=jaxp-strict.properties, and jaxp-strict.properties is removed as part of moving to secure by default, then it should be okay too as the defaults will be strict.

I'm less sure about including jaxp-compat.properties in JDK 23. That's the config file to get temporary relief while you work through the issues with existing code or deployments that break when XML processing is secure by default. Adding in the JDK 23 sends the message that you can "prepare" your command line in advance, which I don't think should be a goal here.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2099840683


More information about the core-libs-dev mailing list