1 /* |
1 /* |
2 * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
36 import javax.xml.transform.TransformerConfigurationException; |
36 import javax.xml.transform.TransformerConfigurationException; |
37 import javax.xml.transform.TransformerFactory; |
37 import javax.xml.transform.TransformerFactory; |
38 import javax.xml.validation.SchemaFactory; |
38 import javax.xml.validation.SchemaFactory; |
39 import javax.xml.xpath.XPathFactory; |
39 import javax.xml.xpath.XPathFactory; |
40 import javax.xml.xpath.XPathFactoryConfigurationException; |
40 import javax.xml.xpath.XPathFactoryConfigurationException; |
|
41 |
|
42 import org.xml.sax.SAXException; |
41 import org.xml.sax.SAXNotRecognizedException; |
43 import org.xml.sax.SAXNotRecognizedException; |
42 import org.xml.sax.SAXNotSupportedException; |
44 import org.xml.sax.SAXNotSupportedException; |
43 |
45 |
44 /** |
46 /** |
45 * Provides helper methods for creating properly configured XML parser |
47 * Provides helper methods for creating properly configured XML parser |
47 * security. |
49 * security. |
48 * @author snajper |
50 * @author snajper |
49 */ |
51 */ |
50 public class XmlFactory { |
52 public class XmlFactory { |
51 |
53 |
|
54 // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used |
|
55 public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; |
|
56 |
52 private static final Logger LOGGER = Logger.getLogger(XmlFactory.class.getName()); |
57 private static final Logger LOGGER = Logger.getLogger(XmlFactory.class.getName()); |
53 |
58 |
54 /** |
59 /** |
55 * If true XML security features when parsing XML documents will be disabled. |
60 * If true XML security features when parsing XML documents will be disabled. |
56 * The default value is false. |
61 * The default value is false. |
184 LOGGER.log(Level.SEVERE, null, er); |
189 LOGGER.log(Level.SEVERE, null, er); |
185 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); |
190 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); |
186 } |
191 } |
187 } |
192 } |
188 |
193 |
|
194 public static SchemaFactory allowFileAccess(SchemaFactory sf, boolean disableSecureProcessing) { |
|
195 |
|
196 // if feature secure processing enabled, nothing to do, file is allowed, |
|
197 // or user is able to control access by standard JAXP mechanisms |
|
198 if (disableSecureProcessing) { |
|
199 return sf; |
|
200 } |
|
201 |
|
202 try { |
|
203 sf.setProperty(ACCESS_EXTERNAL_SCHEMA, "file"); |
|
204 LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); |
|
205 } catch (SAXException ignored) { |
|
206 // nothing to do; support depends on version JDK or SAX implementation |
|
207 LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); |
|
208 } |
|
209 return sf; |
|
210 } |
|
211 |
189 } |
212 } |