XMLReader secure processing

Joe Wang huizhe.wang at oracle.com
Mon Oct 24 20:51:24 UTC 2016

On 10/24/16, 10:40 AM, Bernd wrote:
> Hello,
> I am somewhat lost on how to enable or control the secure processing in the
> XMLReader.
> You can use XMLConstants.FEATURE_SECURE_PROCESSING and/or
> XMLConstants.ACCESS_EXTERNAL_{DTD,SCHEMA} only on the SAXParserFactory, but
> not XMLReader(Factory).
> Is this an oversight or am I missing something?

It's not part of the JAXP API (javax.xml.*), but was included as 
endorsed. I assume XMLReaderFactory was included in the JAXP API package 
for compatibility since it existed before JAXP API was created, and that 
was probably why it didn't have the same support in terms of features.

Note that, in JDK 9, XMLReaderFactory is deprecated. Users are 
encouraged to use SAXParserFactory instead.

> This seems to be a work around (at least for Oracle RI):

This is therefore not a "work-around", but the supported API.
>      SAXParserFactory spf = SAXParserFactory.newInstance();
>      spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
>      SAXParser parser = spf.newSAXParser();
>      System.out.println("external dtd: " +
> parser.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
>      XMLReader reader = parser.getXMLReader();
> In this case the protocols is "all" for FSP=false and "" for FSP=true.

ACCESS_* is "all" by default, even though FSP is true. They will be set 
to "" or not allow external access if FSP is explicitly set.
> XMLConstants Javadoc does not talk about XMLReader, hm.
> BTW: while investigating I noticed the changed default for secure
> processing is not reflected by the comment:
> com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl.java
>       /**
> L64* State of the secure processing feature, initially<code>false</code>
>       */
>      private boolean fSecureProcess = true;
> http://hg.openjdk.java.net/jdk9/jdk9/jaxp/file/6d980e959726/src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java#l64

Thanks, will get that fixed in the next bug fix.


> Gruss
> Bernd

More information about the core-libs-dev mailing list