1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Sep 26 10:43:28 2013 -0700 1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Fri Oct 04 16:21:34 2013 +0100 1.3 @@ -84,11 +84,11 @@ 1.4 1.5 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); 1.6 1.7 - private static boolean globalSecureXmlProcessingEnabled; 1.8 + private static boolean XML_SECURITY_DISABLED; 1.9 1.10 static { 1.11 - String disableSecureXmlProcessing = System.getProperty("disableSecureXmlProcessing"); 1.12 - globalSecureXmlProcessingEnabled = disableSecureXmlProcessing == null || !Boolean.valueOf(disableSecureXmlProcessing); 1.13 + String disableXmlSecurity = System.getProperty("com.sun.xml.internal.ws.disableXmlSecurity"); 1.14 + XML_SECURITY_DISABLED = disableXmlSecurity == null || !Boolean.valueOf(disableXmlSecurity); 1.15 } 1.16 1.17 public static String getPrefix(String s) { 1.18 @@ -364,9 +364,9 @@ 1.19 public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { 1.20 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 1.21 try { 1.22 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessing)); 1.23 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing)); 1.24 } catch (ParserConfigurationException e) { 1.25 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.26 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.27 } 1.28 return factory; 1.29 } 1.30 @@ -374,9 +374,9 @@ 1.31 public static TransformerFactory newTransformerFactory(boolean secureXmlProcessingEnabled) { 1.32 TransformerFactory factory = TransformerFactory.newInstance(); 1.33 try { 1.34 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled)); 1.35 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); 1.36 } catch (TransformerConfigurationException e) { 1.37 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.38 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.39 } 1.40 return factory; 1.41 } 1.42 @@ -388,9 +388,9 @@ 1.43 public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { 1.44 SAXParserFactory factory = SAXParserFactory.newInstance(); 1.45 try { 1.46 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled)); 1.47 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); 1.48 } catch (Exception e) { 1.49 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.50 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.51 } 1.52 return factory; 1.53 } 1.54 @@ -398,16 +398,16 @@ 1.55 public static XPathFactory newXPathFactory(boolean secureXmlProcessingEnabled) { 1.56 XPathFactory factory = XPathFactory.newInstance(); 1.57 try { 1.58 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled)); 1.59 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); 1.60 } catch (XPathFactoryConfigurationException e) { 1.61 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.62 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.63 } 1.64 return factory; 1.65 } 1.66 1.67 public static XMLInputFactory newXMLInputFactory(boolean secureXmlProcessingEnabled) { 1.68 XMLInputFactory factory = XMLInputFactory.newInstance(); 1.69 - if (checkGlobalOverride(secureXmlProcessingEnabled)) { 1.70 + if (isXMLSecurityDisabled(secureXmlProcessingEnabled)) { 1.71 // TODO-Miran: are those apppropriate defaults? 1.72 factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); 1.73 factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); 1.74 @@ -415,25 +415,39 @@ 1.75 return factory; 1.76 } 1.77 1.78 - private static boolean checkGlobalOverride(boolean localSecureXmlProcessingEnabled) { 1.79 - return globalSecureXmlProcessingEnabled && localSecureXmlProcessingEnabled; 1.80 + private static boolean isXMLSecurityDisabled(boolean runtimeDisabled) { 1.81 + return XML_SECURITY_DISABLED || runtimeDisabled; 1.82 } 1.83 1.84 - public static SchemaFactory allowFileAccess(SchemaFactory sf, boolean disableSecureProcessing) { 1.85 + public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) { 1.86 1.87 - // if feature secure processing enabled, nothing to do, file is allowed, 1.88 - // or user is able to control access by standard JAXP mechanisms 1.89 - if (checkGlobalOverride(disableSecureProcessing)) { 1.90 + // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied 1.91 + if (isXMLSecurityDisabled(disableSecureProcessing)) { 1.92 + if (LOGGER.isLoggable(Level.FINE)) { 1.93 + LOGGER.log(Level.FINE, "Xml Security disabled, no JAXP xsd external access configuration necessary."); 1.94 + } 1.95 + return sf; 1.96 + } 1.97 + 1.98 + if (System.getProperty("javax.xml.accessExternalSchema") != null) { 1.99 + if (LOGGER.isLoggable(Level.FINE)) { 1.100 + LOGGER.log(Level.FINE, "Detected explicitly JAXP configuration, no JAXP xsd external access configuration necessary."); 1.101 + } 1.102 return sf; 1.103 } 1.104 1.105 try { 1.106 - sf.setProperty(ACCESS_EXTERNAL_SCHEMA, "file"); 1.107 - LOGGER.log(Level.FINE, "Property \"{}\" is supported and has been successfully set by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA}); 1.108 + sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); 1.109 + if (LOGGER.isLoggable(Level.FINE)) { 1.110 + LOGGER.log(Level.FINE, "Property \"{0}\" is supported and has been successfully set by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA}); 1.111 + } 1.112 } catch (SAXException ignored) { 1.113 - // depending on JDK/SAX implementation used 1.114 - LOGGER.log(Level.CONFIG, "Property \"{}\" is not supported by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA}); 1.115 + // nothing to do; support depends on version JDK or SAX implementation 1.116 + if (LOGGER.isLoggable(Level.CONFIG)) { 1.117 + LOGGER.log(Level.CONFIG, "Property \"{0}\" is not supported by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA}); 1.118 + } 1.119 } 1.120 return sf; 1.121 } 1.122 + 1.123 }