1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Sep 26 10:43:28 2013 -0700
1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Fri Oct 04 16:21:34 2013 +0100
1.3 @@ -84,11 +84,11 @@
1.4
1.5 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName());
1.6
1.7 - private static boolean globalSecureXmlProcessingEnabled;
1.8 + private static boolean XML_SECURITY_DISABLED;
1.9
1.10 static {
1.11 - String disableSecureXmlProcessing = System.getProperty("disableSecureXmlProcessing");
1.12 - globalSecureXmlProcessingEnabled = disableSecureXmlProcessing == null || !Boolean.valueOf(disableSecureXmlProcessing);
1.13 + String disableXmlSecurity = System.getProperty("com.sun.xml.internal.ws.disableXmlSecurity");
1.14 + XML_SECURITY_DISABLED = disableXmlSecurity == null || !Boolean.valueOf(disableXmlSecurity);
1.15 }
1.16
1.17 public static String getPrefix(String s) {
1.18 @@ -364,9 +364,9 @@
1.19 public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) {
1.20 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
1.21 try {
1.22 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessing));
1.23 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing));
1.24 } catch (ParserConfigurationException e) {
1.25 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.26 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.27 }
1.28 return factory;
1.29 }
1.30 @@ -374,9 +374,9 @@
1.31 public static TransformerFactory newTransformerFactory(boolean secureXmlProcessingEnabled) {
1.32 TransformerFactory factory = TransformerFactory.newInstance();
1.33 try {
1.34 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled));
1.35 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled));
1.36 } catch (TransformerConfigurationException e) {
1.37 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.38 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.39 }
1.40 return factory;
1.41 }
1.42 @@ -388,9 +388,9 @@
1.43 public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) {
1.44 SAXParserFactory factory = SAXParserFactory.newInstance();
1.45 try {
1.46 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled));
1.47 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled));
1.48 } catch (Exception e) {
1.49 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.50 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.51 }
1.52 return factory;
1.53 }
1.54 @@ -398,16 +398,16 @@
1.55 public static XPathFactory newXPathFactory(boolean secureXmlProcessingEnabled) {
1.56 XPathFactory factory = XPathFactory.newInstance();
1.57 try {
1.58 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled));
1.59 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled));
1.60 } catch (XPathFactoryConfigurationException e) {
1.61 - LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.62 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.63 }
1.64 return factory;
1.65 }
1.66
1.67 public static XMLInputFactory newXMLInputFactory(boolean secureXmlProcessingEnabled) {
1.68 XMLInputFactory factory = XMLInputFactory.newInstance();
1.69 - if (checkGlobalOverride(secureXmlProcessingEnabled)) {
1.70 + if (isXMLSecurityDisabled(secureXmlProcessingEnabled)) {
1.71 // TODO-Miran: are those apppropriate defaults?
1.72 factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
1.73 factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
1.74 @@ -415,25 +415,39 @@
1.75 return factory;
1.76 }
1.77
1.78 - private static boolean checkGlobalOverride(boolean localSecureXmlProcessingEnabled) {
1.79 - return globalSecureXmlProcessingEnabled && localSecureXmlProcessingEnabled;
1.80 + private static boolean isXMLSecurityDisabled(boolean runtimeDisabled) {
1.81 + return XML_SECURITY_DISABLED || runtimeDisabled;
1.82 }
1.83
1.84 - public static SchemaFactory allowFileAccess(SchemaFactory sf, boolean disableSecureProcessing) {
1.85 + public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
1.86
1.87 - // if feature secure processing enabled, nothing to do, file is allowed,
1.88 - // or user is able to control access by standard JAXP mechanisms
1.89 - if (checkGlobalOverride(disableSecureProcessing)) {
1.90 + // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
1.91 + if (isXMLSecurityDisabled(disableSecureProcessing)) {
1.92 + if (LOGGER.isLoggable(Level.FINE)) {
1.93 + LOGGER.log(Level.FINE, "Xml Security disabled, no JAXP xsd external access configuration necessary.");
1.94 + }
1.95 + return sf;
1.96 + }
1.97 +
1.98 + if (System.getProperty("javax.xml.accessExternalSchema") != null) {
1.99 + if (LOGGER.isLoggable(Level.FINE)) {
1.100 + LOGGER.log(Level.FINE, "Detected explicitly JAXP configuration, no JAXP xsd external access configuration necessary.");
1.101 + }
1.102 return sf;
1.103 }
1.104
1.105 try {
1.106 - sf.setProperty(ACCESS_EXTERNAL_SCHEMA, "file");
1.107 - LOGGER.log(Level.FINE, "Property \"{}\" is supported and has been successfully set by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA});
1.108 + sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
1.109 + if (LOGGER.isLoggable(Level.FINE)) {
1.110 + LOGGER.log(Level.FINE, "Property \"{0}\" is supported and has been successfully set by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA});
1.111 + }
1.112 } catch (SAXException ignored) {
1.113 - // depending on JDK/SAX implementation used
1.114 - LOGGER.log(Level.CONFIG, "Property \"{}\" is not supported by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA});
1.115 + // nothing to do; support depends on version JDK or SAX implementation
1.116 + if (LOGGER.isLoggable(Level.CONFIG)) {
1.117 + LOGGER.log(Level.CONFIG, "Property \"{0}\" is not supported by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA});
1.118 + }
1.119 }
1.120 return sf;
1.121 }
1.122 +
1.123 }
