Fri, 24 Oct 2014 15:02:28 +0200
8054367: More references for endpoints
Summary: fix also reviewed by Iaroslav.Savytskyi@oracle.com, Alexander.Fomin@oracle.com
Reviewed-by: mullan, skoivu
1 /*
2 * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
26 package com.sun.xml.internal.bind.v2.util;
28 import com.sun.xml.internal.bind.v2.Messages;
30 import java.security.AccessController;
31 import java.security.PrivilegedAction;
32 import java.util.logging.Level;
33 import java.util.logging.Logger;
34 import javax.xml.XMLConstants;
35 import javax.xml.parsers.DocumentBuilderFactory;
36 import javax.xml.parsers.ParserConfigurationException;
37 import javax.xml.parsers.SAXParserFactory;
38 import javax.xml.transform.TransformerConfigurationException;
39 import javax.xml.transform.TransformerFactory;
40 import javax.xml.validation.SchemaFactory;
41 import javax.xml.xpath.XPathFactory;
42 import javax.xml.xpath.XPathFactoryConfigurationException;
44 import org.xml.sax.SAXException;
45 import org.xml.sax.SAXNotRecognizedException;
46 import org.xml.sax.SAXNotSupportedException;
48 /**
49 * Provides helper methods for creating properly configured XML parser
50 * factory instances with namespace support turned on and configured for
51 * security.
52 * @author snajper
53 */
54 public class XmlFactory {
56 // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used
57 public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
58 public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";
60 private static final Logger LOGGER = Logger.getLogger(XmlFactory.class.getName());
62 /**
63 * If true XML security features when parsing XML documents will be disabled.
64 * The default value is false.
65 *
66 * Boolean
67 * @since 2.2.6
68 */
69 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.bind.disableXmlSecurity";
71 private static final boolean XML_SECURITY_DISABLED = AccessController.doPrivileged(
72 new PrivilegedAction<Boolean>() {
73 @Override
74 public Boolean run() {
75 return Boolean.getBoolean(DISABLE_XML_SECURITY);
76 }
77 }
78 );
80 private static boolean isXMLSecurityDisabled(boolean runtimeSetting) {
81 return XML_SECURITY_DISABLED || runtimeSetting;
82 }
84 /**
85 * Returns properly configured (e.g. security features) schema factory
86 * - namespaceAware == true
87 * - securityProcessing == is set based on security processing property, default is true
88 */
89 public static SchemaFactory createSchemaFactory(final String language, boolean disableSecureProcessing) throws IllegalStateException {
90 try {
91 SchemaFactory factory = SchemaFactory.newInstance(language);
92 if (LOGGER.isLoggable(Level.FINE)) {
93 LOGGER.log(Level.FINE, "SchemaFactory instance: {0}", factory);
94 }
95 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
96 return factory;
97 } catch (SAXNotRecognizedException ex) {
98 LOGGER.log(Level.SEVERE, null, ex);
99 throw new IllegalStateException(ex);
100 } catch (SAXNotSupportedException ex) {
101 LOGGER.log(Level.SEVERE, null, ex);
102 throw new IllegalStateException(ex);
103 } catch (AbstractMethodError er) {
104 LOGGER.log(Level.SEVERE, null, er);
105 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er);
106 }
107 }
109 /**
110 * Returns properly configured (e.g. security features) parser factory
111 * - namespaceAware == true
112 * - securityProcessing == is set based on security processing property, default is true
113 */
114 public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException {
115 try {
116 SAXParserFactory factory = SAXParserFactory.newInstance();
117 if (LOGGER.isLoggable(Level.FINE)) {
118 LOGGER.log(Level.FINE, "SAXParserFactory instance: {0}", factory);
119 }
120 factory.setNamespaceAware(true);
121 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
122 return factory;
123 } catch (ParserConfigurationException ex) {
124 LOGGER.log(Level.SEVERE, null, ex);
125 throw new IllegalStateException( ex);
126 } catch (SAXNotRecognizedException ex) {
127 LOGGER.log(Level.SEVERE, null, ex);
128 throw new IllegalStateException( ex);
129 } catch (SAXNotSupportedException ex) {
130 LOGGER.log(Level.SEVERE, null, ex);
131 throw new IllegalStateException( ex);
132 } catch (AbstractMethodError er) {
133 LOGGER.log(Level.SEVERE, null, er);
134 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er);
135 }
136 }
138 /**
139 * Returns properly configured (e.g. security features) factory
140 * - securityProcessing == is set based on security processing property, default is true
141 */
142 public static XPathFactory createXPathFactory(boolean disableSecureProcessing) throws IllegalStateException {
143 try {
144 XPathFactory factory = XPathFactory.newInstance();
145 if (LOGGER.isLoggable(Level.FINE)) {
146 LOGGER.log(Level.FINE, "XPathFactory instance: {0}", factory);
147 }
148 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
149 return factory;
150 } catch (XPathFactoryConfigurationException ex) {
151 LOGGER.log(Level.SEVERE, null, ex);
152 throw new IllegalStateException( ex);
153 } catch (AbstractMethodError er) {
154 LOGGER.log(Level.SEVERE, null, er);
155 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er);
156 }
157 }
159 /**
160 * Returns properly configured (e.g. security features) factory
161 * - securityProcessing == is set based on security processing property, default is true
162 */
163 public static TransformerFactory createTransformerFactory(boolean disableSecureProcessing) throws IllegalStateException {
164 try {
165 TransformerFactory factory = TransformerFactory.newInstance();
166 if (LOGGER.isLoggable(Level.FINE)) {
167 LOGGER.log(Level.FINE, "TransformerFactory instance: {0}", factory);
168 }
169 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
170 return factory;
171 } catch (TransformerConfigurationException ex) {
172 LOGGER.log(Level.SEVERE, null, ex);
173 throw new IllegalStateException( ex);
174 } catch (AbstractMethodError er) {
175 LOGGER.log(Level.SEVERE, null, er);
176 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er);
177 }
178 }
180 /**
181 * Returns properly configured (e.g. security features) factory
182 * - namespaceAware == true
183 * - securityProcessing == is set based on security processing property, default is true
184 */
185 public static DocumentBuilderFactory createDocumentBuilderFactory(boolean disableSecureProcessing) throws IllegalStateException {
186 try {
187 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
188 if (LOGGER.isLoggable(Level.FINE)) {
189 LOGGER.log(Level.FINE, "DocumentBuilderFactory instance: {0}", factory);
190 }
191 factory.setNamespaceAware(true);
192 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
193 return factory;
194 } catch (ParserConfigurationException ex) {
195 LOGGER.log(Level.SEVERE, null, ex);
196 throw new IllegalStateException( ex);
197 } catch (AbstractMethodError er) {
198 LOGGER.log(Level.SEVERE, null, er);
199 throw new IllegalStateException(Messages.INVALID_JAXP_IMPLEMENTATION.format(), er);
200 }
201 }
203 public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
205 // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
206 if (isXMLSecurityDisabled(disableSecureProcessing)) {
207 if (LOGGER.isLoggable(Level.FINE)) {
208 LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format());
209 }
210 return sf;
211 }
213 if (System.getProperty("javax.xml.accessExternalSchema") != null) {
214 if (LOGGER.isLoggable(Level.FINE)) {
215 LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format());
216 }
217 return sf;
218 }
220 try {
221 sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
222 if (LOGGER.isLoggable(Level.FINE)) {
223 LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA));
224 }
225 } catch (SAXException ignored) {
226 // nothing to do; support depends on version JDK or SAX implementation
227 if (LOGGER.isLoggable(Level.CONFIG)) {
228 LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_SCHEMA), ignored);
229 }
230 }
231 return sf;
232 }
234 public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
236 // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
237 if (isXMLSecurityDisabled(disableSecureProcessing)) {
238 if (LOGGER.isLoggable(Level.FINE)) {
239 LOGGER.log(Level.FINE, Messages.JAXP_XML_SECURITY_DISABLED.format());
240 }
241 return sf;
242 }
244 if (System.getProperty("javax.xml.accessExternalDTD") != null) {
245 if (LOGGER.isLoggable(Level.FINE)) {
246 LOGGER.log(Level.FINE, Messages.JAXP_EXTERNAL_ACCESS_CONFIGURED.format());
247 }
248 return sf;
249 }
251 try {
252 sf.setProperty(ACCESS_EXTERNAL_DTD, value);
253 if (LOGGER.isLoggable(Level.FINE)) {
254 LOGGER.log(Level.FINE, Messages.JAXP_SUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD));
255 }
256 } catch (SAXException ignored) {
257 // nothing to do; support depends on version JDK or SAX implementation
258 if (LOGGER.isLoggable(Level.CONFIG)) {
259 LOGGER.log(Level.CONFIG, Messages.JAXP_UNSUPPORTED_PROPERTY.format(ACCESS_EXTERNAL_DTD), ignored);
260 }
261 }
262 return sf;
263 }
265 }