[
https://issues.apache.org/jira/browse/DERBY-6233?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13670284#comment-13670284
]
Knut Anders Hatlen commented on DERBY-6233:
-------------------------------------------
The 01-a patch treats the issue as a test/configuration problem and doesn't
make any changes to the product code. This means users who come across the
problem when upgrading to JDK 8 will have to find a way to work around it
themselves, for example by setting the system property used in the test. Let's
call this option 1.
We could also regard it as a product issue and try to fix it so that users who
upgrade to JDK 8 don't get hit by it. Then we have at least these two options:
2) Configure SqlXmlUtil's DocumentBuilderFactory so that external DTDs can be
retrieved without setting the system property.
3) Configure SqlXmlUtil's DocumentBuilderFactory so that it ignores external
DTDs.
Option 2 would make JDK 8's change in behaviour completely transparent to the
users, and they would not have to change their application. So it's probably
the best option from a compatibility point of view. However, this restriction
was added to JDK 8 for a reason, and I don't think we'd want to bypass this
extra security check without the users' explicit consent.
Option 3 would have been fine if the parser didn't actually use the DTD. In
fact, it doesn't use it for validating the XML document, because the SQL spec
says the XMLPARSE function should do "a non-validating parse" of the input
string. However, it does use the DTD for filling in default attribute values in
the stored document. And we also have tests that verify that default values are
used if attributes are not specified, so such a change may break applications
that rely on this functionality.
Since the alternatives seem to be either disabling a security feature by
default, or breaking a different set of applications, I'm leaning towards
option 1 with a workaround in the affected test, as implemented by the 01-a
patch. I think the main disadvantage with using that workaround in an
application, is that it's a global switch that affects all XML parsers in the
JVM, not only the one used by Derby. If this turns out to be a problem for
users when they upgrade to JDK 8, we may consider adding functionality that
gives users a more targeted workaround. For example, we could add a database
property that controls how the parser handles DTDs per database.
> XMLBindingTest fails on latest JDK 8 EA
> ---------------------------------------
>
> Key: DERBY-6233
> URL: https://issues.apache.org/jira/browse/DERBY-6233
> Project: Derby
> Issue Type: Bug
> Components: Test
> Affects Versions: 10.11.0.0
> Environment: java version "1.8.0-ea"
> Java(TM) SE Runtime Environment (build 1.8.0-ea-b91)
> Java HotSpot(TM) 64-Bit Server VM (build 25.0-b33, mixed mode)
> Reporter: Knut Anders Hatlen
> Attachments: derby-6233-01-a.diff
>
>
> java.sql.SQLDataException: Invalid XML Document: External DTD: Failed to read
> external DTD 'personal.dtd', because 'file' access is not allowed.
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory40.getSQLException(SQLExceptionFactory40.java:79)
> at org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Util.java:148)
> at org.apache.derby.impl.jdbc.Util.seeNextException(Util.java:349)
> at
> org.apache.derby.impl.jdbc.TransactionResourceImpl.wrapInSQLException(TransactionResourceImpl.java:431)
> at
> org.apache.derby.impl.jdbc.TransactionResourceImpl.handleException(TransactionResourceImpl.java:353)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.handleException(EmbedConnection.java:2396)
> at
> org.apache.derby.impl.jdbc.ConnectionChild.handleException(ConnectionChild.java:85)
> at
> org.apache.derby.impl.jdbc.EmbedStatement.executeStatement(EmbedStatement.java:1438)
> at
> org.apache.derby.impl.jdbc.EmbedPreparedStatement.executeStatement(EmbedPreparedStatement.java:1695)
> at
> org.apache.derby.impl.jdbc.EmbedPreparedStatement.execute(EmbedPreparedStatement.java:1379)
> at org.apache.derbyTesting.junit.XML.insertDocWithDTD(XML.java:240)
> at
> org.apache.derbyTesting.functionTests.tests.lang.XMLBindingTest$XBindTestSetup.setUp(XMLBindingTest.java:301)
> at junit.extensions.TestSetup$1.protect(TestSetup.java:22)
> at junit.extensions.TestSetup.run(TestSetup.java:27)
> at
> org.apache.derbyTesting.junit.BaseTestSetup.run(BaseTestSetup.java:57)
> at junit.extensions.TestDecorator.basicRun(TestDecorator.java:24)
> at junit.extensions.TestSetup$1.protect(TestSetup.java:23)
> at junit.extensions.TestSetup.run(TestSetup.java:27)
> Caused by: java.sql.SQLException: Invalid XML Document: External DTD: Failed
> to read external DTD 'personal.dtd', because 'file' access is not allowed.
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory.getSQLException(SQLExceptionFactory.java:42)
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory40.wrapArgsForTransportAcrossDRDA(SQLExceptionFactory40.java:126)
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory40.getSQLException(SQLExceptionFactory40.java:71)
> Caused by: java.sql.SQLException: Java exception: 'External DTD: Failed to
> read external DTD 'personal.dtd', because 'file' access is not allowed.:
> org.xml.sax.SAXException'.
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory.getSQLException(SQLExceptionFactory.java:42)
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory40.wrapArgsForTransportAcrossDRDA(SQLExceptionFactory40.java:126)
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory40.getSQLException(SQLExceptionFactory40.java:71)
> at org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Util.java:148)
> at org.apache.derby.impl.jdbc.Util.javaException(Util.java:370)
> at
> org.apache.derby.impl.jdbc.TransactionResourceImpl.wrapInSQLException(TransactionResourceImpl.java:436)
> at
> org.apache.derby.impl.jdbc.TransactionResourceImpl.wrapInSQLException(TransactionResourceImpl.java:432)
> Caused by: org.xml.sax.SAXException: External DTD: Failed to read external
> DTD 'personal.dtd', because 'file' access is not allowed.
> org.xml.sax.SAXParseException; lineNumber: 20; columnNumber: 119; External
> DTD: Failed to read external DTD 'personal.dtd', because 'file' access is not
> allowed.
> at
> org.apache.derby.iapi.types.SqlXmlUtil$XMLErrorHandler.fatalError(SqlXmlUtil.java:767)
> at
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:180)
> at
> com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:441)
> at
> com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:368)
> at
> com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1388)
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.dispatch(XMLDocumentScannerImpl.java:1158)
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$DTDDriver.next(XMLDocumentScannerImpl.java:1050)
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl$PrologDriver.next(XMLDocumentScannerImpl.java:964)
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:606)
> at
> com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:116)
> at
> com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:509)
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:858)
> at
> com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:787)
> at
> com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
> at
> com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:237)
> at
> com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:329)
> at org.apache.derby.iapi.types.SqlXmlUtil$1.run(SqlXmlUtil.java:320)
> at org.apache.derby.iapi.types.SqlXmlUtil$1.run(SqlXmlUtil.java:317)
> at java.security.AccessController.doPrivileged(Native Method)
> at
> org.apache.derby.iapi.types.SqlXmlUtil.serializeToString(SqlXmlUtil.java:315)
> at org.apache.derby.iapi.types.XML.XMLParse(XML.java:632)
> at
> org.apache.derby.exe.acbfcc1aadx013exeff7x4f4fx000077cfc4780.e0(Unknown
> Source)
> at
> org.apache.derby.impl.services.reflect.DirectCall.invoke(ReflectGeneratedClass.java:101)
> at
> org.apache.derby.impl.sql.execute.RowResultSet.getNextRowCore(RowResultSet.java:148)
> at
> org.apache.derby.impl.sql.execute.NormalizeResultSet.getNextRowCore(NormalizeResultSet.java:185)
> at
> org.apache.derby.impl.sql.execute.DMLWriteResultSet.getNextRowCore(DMLWriteResultSet.java:128)
> at
> org.apache.derby.impl.sql.execute.InsertResultSet.open(InsertResultSet.java:520)
> at
> org.apache.derby.impl.sql.GenericPreparedStatement.executeStmt(GenericPreparedStatement.java:453)
> at
> org.apache.derby.impl.sql.GenericPreparedStatement.execute(GenericPreparedStatement.java:334)
> at
> org.apache.derby.impl.jdbc.EmbedStatement.executeStatement(EmbedStatement.java:1346)
> Caused by: org.xml.sax.SAXParseException; lineNumber: 20; columnNumber: 119;
> External DTD: Failed to read external DTD 'personal.dtd', because 'file'
> access is not allowed.
> at
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:203)
> at
> com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:177)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
