Sun, 25 Jun 2017 00:13:53 +0100
8182054: Improve wsdl support
Summary: Also reviewed by Roman Grigoriadi <roman.grigoriadi@oracle.com>
Reviewed-by: joehw, lancea
1.1 --- a/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Fri Jun 02 15:26:58 2017 -0700 1.2 +++ b/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Sun Jun 25 00:13:53 2017 +0100 1.3 @@ -1,5 +1,5 @@ 1.4 /* 1.5 - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 1.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.8 * 1.9 * This code is free software; you can redistribute it and/or modify it 1.10 @@ -112,15 +112,13 @@ 1.11 this.entityResolver = entityResolver; 1.12 this.errorReceiver = errReceiver; 1.13 this.logic = logic; 1.14 + // secure xml processing can be switched off if input requires it 1.15 + boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity; 1.16 + 1.17 + DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity); 1.18 + this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity); 1.19 try { 1.20 - // secure xml processing can be switched off if input requires it 1.21 - boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity; 1.22 - DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled); 1.23 - dbf.setNamespaceAware(true); 1.24 this.documentBuilder = dbf.newDocumentBuilder(); 1.25 - 1.26 - this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled); 1.27 - this.parserFactory.setNamespaceAware(true); 1.28 } catch (ParserConfigurationException e) { 1.29 throw new AssertionError(e); 1.30 }
2.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java Fri Jun 02 15:26:58 2017 -0700 2.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java Sun Jun 25 00:13:53 2017 +0100 2.3 @@ -1,5 +1,5 @@ 2.4 /* 2.5 - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 2.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 2.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 2.8 * 2.9 * This code is free software; you can redistribute it and/or modify it 2.10 @@ -57,7 +57,6 @@ 2.11 if (db == null) { 2.12 try { 2.13 DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(); 2.14 - dbf.setNamespaceAware(true); 2.15 db = dbf.newDocumentBuilder(); 2.16 } catch (ParserConfigurationException e) { 2.17 throw new FactoryConfigurationError(e);
3.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Fri Jun 02 15:26:58 2017 -0700 3.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Sun Jun 25 00:13:53 2017 +0100 3.3 @@ -1,5 +1,5 @@ 3.4 /* 3.5 - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 3.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 3.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3.8 * 3.9 * This code is free software; you can redistribute it and/or modify it 3.10 @@ -84,6 +84,14 @@ 3.11 private final static String LEXICAL_HANDLER_PROPERTY = 3.12 "http://xml.org/sax/properties/lexical-handler"; 3.13 3.14 + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; 3.15 + 3.16 + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; 3.17 + 3.18 + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; 3.19 + 3.20 + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; 3.21 + 3.22 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); 3.23 3.24 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; 3.25 @@ -372,15 +380,29 @@ 3.26 }; 3.27 3.28 public static DocumentBuilderFactory newDocumentBuilderFactory() { 3.29 - return newDocumentBuilderFactory(true); 3.30 + return newDocumentBuilderFactory(false); 3.31 } 3.32 3.33 - public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { 3.34 + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { 3.35 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 3.36 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; 3.37 try { 3.38 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing)); 3.39 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); 3.40 + factory.setFeature(featureToSet, securityOn); 3.41 + factory.setNamespaceAware(true); 3.42 + if (securityOn) { 3.43 + factory.setExpandEntityReferences(false); 3.44 + featureToSet = DISALLOW_DOCTYPE_DECL; 3.45 + factory.setFeature(featureToSet, true); 3.46 + featureToSet = EXTERNAL_GE; 3.47 + factory.setFeature(featureToSet, false); 3.48 + featureToSet = EXTERNAL_PE; 3.49 + factory.setFeature(featureToSet, false); 3.50 + featureToSet = LOAD_EXTERNAL_DTD; 3.51 + factory.setFeature(featureToSet, false); 3.52 + } 3.53 } catch (ParserConfigurationException e) { 3.54 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 3.55 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); 3.56 } 3.57 return factory; 3.58 } 3.59 @@ -399,12 +421,25 @@ 3.60 return newTransformerFactory(true); 3.61 } 3.62 3.63 - public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { 3.64 + public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { 3.65 SAXParserFactory factory = SAXParserFactory.newInstance(); 3.66 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; 3.67 try { 3.68 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); 3.69 - } catch (Exception e) { 3.70 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 3.71 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); 3.72 + factory.setFeature(featureToSet, securityOn); 3.73 + factory.setNamespaceAware(true); 3.74 + if (securityOn) { 3.75 + featureToSet = DISALLOW_DOCTYPE_DECL; 3.76 + factory.setFeature(featureToSet, true); 3.77 + featureToSet = EXTERNAL_GE; 3.78 + factory.setFeature(featureToSet, false); 3.79 + featureToSet = EXTERNAL_PE; 3.80 + factory.setFeature(featureToSet, false); 3.81 + featureToSet = LOAD_EXTERNAL_DTD; 3.82 + factory.setFeature(featureToSet, false); 3.83 + } 3.84 + } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { 3.85 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); 3.86 } 3.87 return factory; 3.88 }