On 10/24/16, 10:40 AM, Bernd wrote:
Hello,
I am somewhat lost on how to enable or control the secure processing in the
XMLReader.
You can use XMLConstants.FEATURE_SECURE_PROCESSING and/or
XMLConstants.ACCESS_EXTERNAL_{DTD,SCHEMA} only on the SAXParserFactory, but
not XMLReader(Factory).
Is this an oversight or am I missing something?
It's not part of the JAXP API (javax.xml.*), but was included as
endorsed. I assume XMLReaderFactory was included in the JAXP API package
for compatibility since it existed before JAXP API was created, and that
was probably why it didn't have the same support in terms of features.
Note that, in JDK 9, XMLReaderFactory is deprecated. Users are
encouraged to use SAXParserFactory instead.
This seems to be a work around (at least for Oracle RI):
This is therefore not a "work-around", but the supported API.
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParser parser = spf.newSAXParser();
System.out.println("external dtd: " +
parser.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
XMLReader reader = parser.getXMLReader();
In this case the protocols is "all" for FSP=false and "" for FSP=true.
ACCESS_* is "all" by default, even though FSP is true. They will be set
to "" or not allow external access if FSP is explicitly set.
XMLConstants Javadoc does not talk about XMLReader, hm.
BTW: while investigating I noticed the changed default for secure
processing is not reflected by the comment:
com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl.java
/**
L64* State of the secure processing feature, initially<code>false</code>
*/
private boolean fSecureProcess = true;
http://hg.openjdk.java.net/jdk9/jdk9/jaxp/file/6d980e959726/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java#l64
Thanks, will get that fixed in the next bug fix.
Best,
Joe
Gruss
Bernd
