1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/util/XmlFactory.java Wed Apr 27 01:27:09 2016 +0800 1.3 @@ -0,0 +1,258 @@ 1.4 +/* 1.5 + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. 1.6 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.7 + * 1.8 + * This code is free software; you can redistribute it and/or modify it 1.9 + * under the terms of the GNU General Public License version 2 only, as 1.10 + * published by the Free Software Foundation. Oracle designates this 1.11 + * particular file as subject to the "Classpath" exception as provided 1.12 + * by Oracle in the LICENSE file that accompanied this code. 1.13 + * 1.14 + * This code is distributed in the hope that it will be useful, but WITHOUT 1.15 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 1.16 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 1.17 + * version 2 for more details (a copy is included in the LICENSE file that 1.18 + * accompanied this code). 1.19 + * 1.20 + * You should have received a copy of the GNU General Public License version 1.21 + * 2 along with this work; if not, write to the Free Software Foundation, 1.22 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 1.23 + * 1.24 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 1.25 + * or visit www.oracle.com if you need additional information or have any 1.26 + * questions. 1.27 + */ 1.28 + 1.29 +package com.sun.xml.internal.bind.v2.util; 1.30 + 1.31 +import com.sun.xml.internal.bind.Util; 1.32 +import com.sun.xml.internal.bind.v2.Messages; 1.33 +import java.util.logging.Level; 1.34 +import java.util.logging.Logger; 1.35 +import javax.xml.XMLConstants; 1.36 +import javax.xml.parsers.DocumentBuilderFactory; 1.37 +import javax.xml.parsers.ParserConfigurationException; 1.38 +import javax.xml.parsers.SAXParserFactory; 1.39 +import javax.xml.transform.TransformerConfigurationException; 1.40 +import javax.xml.transform.TransformerFactory; 1.41 +import javax.xml.validation.SchemaFactory; 1.42 +import javax.xml.xpath.XPathFactory; 1.43 +import javax.xml.xpath.XPathFactoryConfigurationException; 1.44 + 1.45 +import org.xml.sax.SAXException; 1.46 +import org.xml.sax.SAXNotRecognizedException; 1.47 +import org.xml.sax.SAXNotSupportedException; 1.48 + 1.49 +import static com.sun.xml.internal.bind.Util.getSystemProperty; 1.50 + 1.51 +/** 1.52 + * Provides helper methods for creating properly configured XML parser 1.53 + * factory instances with namespace support turned on and configured for 1.54 + * security. 1.55 + * @author snajper 1.56 + */ 1.57 +public class XmlFactory { 1.58 + 1.59 + // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used 1.60 + public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; 1.61 + public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD"; 1.62 + 1.63 + private static final Logger LOGGER = Logger.getLogger(XmlFactory.class.getName()); 1.64 + 1.65 + /** 1.66 + * If true XML security features when parsing XML documents will be disabled. 1.67 + * The default value is false. 1.68 + * 1.69 + * Boolean 1.70 + * @since 2.2.6 1.71 + */ 1.72 + private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.bind.disableXmlSecurity"; 1.73 + 1.74 + public static final boolean XML_SECURITY_DISABLED = Boolean.parseBoolean(getSystemProperty(DISABLE_XML_SECURITY)); 1.75 + 1.76 + private static boolean isXMLSecurityDisabled(boolean runtimeSetting) { 1.77 + return XML_SECURITY_DISABLED || runtimeSetting; 1.78 + } 1.79 + 1.80 + /** 1.81 + * Returns properly configured (e.g. security features) schema factory 1.82 + * - namespaceAware == true 1.83 + * - securityProcessing == is set based on security processing property, default is true 1.84 + */ 1.85 + public static SchemaFactory createSchemaFactory(final String language, boolean disableSecureProcessing) throws IllegalStateException { 1.86 + try { 1.87 + SchemaFactory factory = SchemaFactory.newInstance(language); 1.88 + if (LOGGER.isLoggable(Level.FINE)) { 1.89 + LOGGER.log(Level.FINE, "SchemaFactory instance: {0}", factory); 1.90 + } 1.91 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); 1.92 + return factory; 1.93 + } catch (SAXNotRecognizedException ex) { 1.94 + LOGGER.log(Level.SEVERE, null, ex); 1.95 + throw new IllegalStateException(ex); 1.96 + } catch (SAXNotSupportedException ex) { 1.97 + LOGGER.log(Level.SEVERE, null, ex); 1.98 + throw new IllegalStateException(ex); 1.99 + } catch (AbstractMethodError er) { 1.100 + LOGGER.log(Level.SEVERE, null, er); 1.101 + throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); 1.102 + } 1.103 + } 1.104 + 1.105 + /** 1.106 + * Returns properly configured (e.g. security features) parser factory 1.107 + * - namespaceAware == true 1.108 + * - securityProcessing == is set based on security processing property, default is true 1.109 + */ 1.110 + public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException { 1.111 + try { 1.112 + SAXParserFactory factory = SAXParserFactory.newInstance(); 1.113 + if (LOGGER.isLoggable(Level.FINE)) { 1.114 + LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory); 1.115 + } 1.116 + factory.setNamespaceAware(true); 1.117 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); 1.118 + return factory; 1.119 + } catch (ParserConfigurationException ex) { 1.120 + LOGGER.log(Level.SEVERE, null, ex); 1.121 + throw new IllegalStateException( ex); 1.122 + } catch (SAXNotRecognizedException ex) { 1.123 + LOGGER.log(Level.SEVERE, null, ex); 1.124 + throw new IllegalStateException( ex); 1.125 + } catch (SAXNotSupportedException ex) { 1.126 + LOGGER.log(Level.SEVERE, null, ex); 1.127 + throw new IllegalStateException( ex); 1.128 + } catch (AbstractMethodError er) { 1.129 + LOGGER.log(Level.SEVERE, null, er); 1.130 + throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); 1.131 + } 1.132 + } 1.133 + 1.134 + /** 1.135 + * Returns properly configured (e.g. security features) factory 1.136 + * - securityProcessing == is set based on security processing property, default is true 1.137 + */ 1.138 + public static XPathFactory createXPathFactory(boolean disableSecureProcessing) throws IllegalStateException { 1.139 + try { 1.140 + XPathFactory factory = XPathFactory.newInstance(); 1.141 + if (LOGGER.isLoggable(Level.FINE)) { 1.142 + LOGGER.log(Level.FINE, "XPathFactory instance: {0}", factory); 1.143 + } 1.144 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); 1.145 + return factory; 1.146 + } catch (XPathFactoryConfigurationException ex) { 1.147 + LOGGER.log(Level.SEVERE, null, ex); 1.148 + throw new IllegalStateException( ex); 1.149 + } catch (AbstractMethodError er) { 1.150 + LOGGER.log(Level.SEVERE, null, er); 1.151 + throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); 1.152 + } 1.153 + } 1.154 + 1.155 + /** 1.156 + * Returns properly configured (e.g. security features) factory 1.157 + * - securityProcessing == is set based on security processing property, default is true 1.158 + */ 1.159 + public static TransformerFactory createTransformerFactory(boolean disableSecureProcessing) throws IllegalStateException { 1.160 + try { 1.161 + TransformerFactory factory = TransformerFactory.newInstance(); 1.162 + if (LOGGER.isLoggable(Level.FINE)) { 1.163 + LOGGER.log(Level.FINE, "TransformerFactory instance: {0}", factory); 1.164 + } 1.165 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); 1.166 + return factory; 1.167 + } catch (TransformerConfigurationException ex) { 1.168 + LOGGER.log(Level.SEVERE, null, ex); 1.169 + throw new IllegalStateException( ex); 1.170 + } catch (AbstractMethodError er) { 1.171 + LOGGER.log(Level.SEVERE, null, er); 1.172 + throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); 1.173 + } 1.174 + } 1.175 + 1.176 + /** 1.177 + * Returns properly configured (e.g. security features) factory 1.178 + * - namespaceAware == true 1.179 + * - securityProcessing == is set based on security processing property, default is true 1.180 + */ 1.181 + public static DocumentBuilderFactory createDocumentBuilderFactory(boolean disableSecureProcessing) throws IllegalStateException { 1.182 + try { 1.183 + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 1.184 + if (LOGGER.isLoggable(Level.FINE)) { 1.185 + LOGGER.log(Level.FINE, "DocumentBuilderFactory instance: {0}", factory); 1.186 + } 1.187 + factory.setNamespaceAware(true); 1.188 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing)); 1.189 + return factory; 1.190 + } catch (ParserConfigurationException ex) { 1.191 + LOGGER.log(Level.SEVERE, null, ex); 1.192 + throw new IllegalStateException( ex); 1.193 + } catch (AbstractMethodError er) { 1.194 + LOGGER.log(Level.SEVERE, null, er); 1.195 + throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er); 1.196 + } 1.197 + } 1.198 + 1.199 + public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { 1.200 + 1.201 + // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied 1.202 + if (isXMLSecurityDisabled(disableSecureProcessing)) { 1.203 + if (LOGGER.isLoggable(Level.FINE)) { 1.204 + LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); 1.205 + } 1.206 + return sf; 1.207 + } 1.208 + 1.209 + if (System.getProperty("javax.xml.accessExternalSchema") != null) { 1.210 + if (LOGGER.isLoggable(Level.FINE)) { 1.211 + LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); 1.212 + } 1.213 + return sf; 1.214 + } 1.215 + 1.216 + try { 1.217 + sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); 1.218 + if (LOGGER.isLoggable(Level.FINE)) { 1.219 + LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA)); 1.220 + } 1.221 + } catch (SAXException ignored) { 1.222 + // nothing to do; support depends on version JDK or SAX implementation 1.223 + if (LOGGER.isLoggable(Level.CONFIG)) { 1.224 + LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored); 1.225 + } 1.226 + } 1.227 + return sf; 1.228 + } 1.229 + 1.230 + public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { 1.231 + 1.232 + // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied 1.233 + if (isXMLSecurityDisabled(disableSecureProcessing)) { 1.234 + if (LOGGER.isLoggable(Level.FINE)) { 1.235 + LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format()); 1.236 + } 1.237 + return sf; 1.238 + } 1.239 + 1.240 + if (System.getProperty("javax.xml.accessExternalDTD") != null) { 1.241 + if (LOGGER.isLoggable(Level.FINE)) { 1.242 + LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format()); 1.243 + } 1.244 + return sf; 1.245 + } 1.246 + 1.247 + try { 1.248 + sf.setProperty(ACCESS_EXTERNAL_DTD, value); 1.249 + if (LOGGER.isLoggable(Level.FINE)) { 1.250 + LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD)); 1.251 + } 1.252 + } catch (SAXException ignored) { 1.253 + // nothing to do; support depends on version JDK or SAX implementation 1.254 + if (LOGGER.isLoggable(Level.CONFIG)) { 1.255 + LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored); 1.256 + } 1.257 + } 1.258 + return sf; 1.259 + } 1.260 + 1.261 +}