SecurityManager sounds like a great solution but I have a few questions about it:
1. Are the limits per-document or per-parser? If per-parser, is there a reset mechanism? 2. If the limits are per-document, is this a multi-thread safe object or should one be created for each parser? Thanks. -Ben -----Original Message----- From: Neil Delima [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: RE: DTD being resolved using non-validating parser? "Benjamin Kolin" <[EMAIL PROTECTED]> wrote on 05/03/2004 01:50:35 PM: > Followup question - what is considered the best method to defend > against extity expansion DOS attacks? Specifically I am concerned > about the internal DTD because the features you mentioned already give > me control over the external DTD. It would be acceptable to me to > ignore the internal DTD altogether. Thanks. See the property: http://apache.org/xml/properties/security-manager [1] [1] http://xml.apache.org/xerces2-j/properties.html [2] http://xml.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/ SecurityManager.html [3] http://xml.apache.org/xerces2-j/faq-write.html#faq-2 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
