org.eclipse.persistence.internal.helper.XMLHelper Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of eclipselink Show documentation
Show all versions of eclipselink Show documentation
EclipseLink build based upon Git transaction f2b9fc5
/*
* Copyright (c) 2016, 2020 Oracle and/or its affiliates. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0,
* or the Eclipse Distribution License v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
// Contributors:
// Oracle - initial API and implementation
package org.eclipse.persistence.internal.helper;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
import javax.xml.validation.SchemaFactory;
import javax.xml.xpath.XPathFactory;
import javax.xml.xpath.XPathFactoryConfigurationException;
import org.eclipse.persistence.internal.oxm.OXMSystemProperties;
import org.eclipse.persistence.internal.oxm.record.XMLReader;
import org.eclipse.persistence.internal.security.PrivilegedAccessHelper;
import org.eclipse.persistence.logging.AbstractSessionLog;
import org.eclipse.persistence.logging.SessionLog;
import org.xml.sax.SAXException;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
public class XMLHelper {
// LJ - does not cache logger to allow its dynamic reconfiguration
// not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used
public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";
private static final String PROP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
private static final String PROP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
/**
* If true XML security features when parsing XML documents will be disabled.
* The default value is false.
*
* Boolean
* @since 2.6.3
*/
private static final boolean XML_SECURITY_DISABLED = PrivilegedAccessHelper.getSystemPropertyBoolean(OXMSystemProperties.DISABLE_SECURE_PROCESSING, false);
private static boolean isXMLSecurityDisabled(boolean runtimeSetting) {
return XML_SECURITY_DISABLED || runtimeSetting;
}
/**
* Returns properly configured (e.g. security features) schema factory
* - namespaceAware == true
* - securityProcessing == is set based on security processing property, default is true
*/
public static SchemaFactory createSchemaFactory(final String language, boolean disableSecureProcessing) throws IllegalStateException {
SessionLog logger = AbstractSessionLog.getLog();
try {
SchemaFactory factory = SchemaFactory.newInstance(language);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "schema_factory", new Object[] {factory});
}
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
return factory;
} catch (SAXNotRecognizedException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException(ex);
} catch (SAXNotSupportedException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException(ex);
} catch (AbstractMethodError er) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
throw new IllegalStateException(er);
}
}
/**
* Returns properly configured (e.g. security features) parser factory
* - namespaceAware == true
* - securityProcessing == is set based on security processing property, default is true
*/
public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException {
SessionLog logger = AbstractSessionLog.getLog();
try {
SAXParserFactory factory = SAXParserFactory.newInstance();
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "saxparser_factory", new Object[] {factory});
}
factory.setNamespaceAware(true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
return factory;
} catch (ParserConfigurationException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException( ex);
} catch (SAXNotRecognizedException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException( ex);
} catch (SAXNotSupportedException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException( ex);
} catch (AbstractMethodError er) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
throw new IllegalStateException(er);
}
}
/**
* Returns properly configured (e.g. security features) factory
* - securityProcessing == is set based on security processing property, default is true
*/
public static XPathFactory createXPathFactory(boolean disableSecureProcessing) throws IllegalStateException {
SessionLog logger = AbstractSessionLog.getLog();
try {
XPathFactory factory = XPathFactory.newInstance();
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "xpath_factory", new Object[] {factory});
}
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
return factory;
} catch (XPathFactoryConfigurationException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException( ex);
} catch (AbstractMethodError er) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
throw new IllegalStateException(er);
}
}
/**
* Returns properly configured (e.g. security features) factory
* - securityProcessing == is set based on security processing property, default is true
*/
public static TransformerFactory createTransformerFactory(boolean disableSecureProcessing) throws IllegalStateException {
SessionLog logger = AbstractSessionLog.getLog();
try {
TransformerFactory factory = TransformerFactory.newInstance();
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "transformer_factory", new Object[] {factory});
}
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
return factory;
} catch (TransformerConfigurationException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException( ex);
} catch (AbstractMethodError er) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
throw new IllegalStateException(er);
}
}
/**
* Returns properly configured (e.g. security features) factory
* - namespaceAware == true
* - securityProcessing == is set based on security processing property, default is true
*/
public static DocumentBuilderFactory createDocumentBuilderFactory(boolean disableSecureProcessing) throws IllegalStateException {
SessionLog logger = AbstractSessionLog.getLog();
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "documentbuilder_factory", new Object[] {factory});
}
factory.setNamespaceAware(true);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
return factory;
} catch (ParserConfigurationException ex) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
throw new IllegalStateException( ex);
} catch (AbstractMethodError er) {
logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
throw new IllegalStateException(er);
}
}
public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
}
return sf;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
}
return sf;
}
try {
sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
}
} catch (SAXException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return sf;
}
public static TransformerFactory allowExternalAccess(TransformerFactory tf, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
}
return tf;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
}
return tf;
}
try {
tf.setAttribute(ACCESS_EXTERNAL_SCHEMA, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
}
} catch (IllegalArgumentException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return tf;
}
public static DocumentBuilderFactory allowExternalAccess(DocumentBuilderFactory dbf, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
}
return dbf;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
}
return dbf;
}
try {
dbf.setAttribute(ACCESS_EXTERNAL_SCHEMA, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
}
} catch (IllegalArgumentException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return dbf;
}
public static XMLReader allowExternalAccess(XMLReader xmlReader, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
}
return xmlReader;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
}
return xmlReader;
}
try {
xmlReader.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
}
} catch (SAXException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return xmlReader;
}
public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
}
return sf;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
}
return sf;
}
try {
sf.setProperty(ACCESS_EXTERNAL_DTD, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
}
} catch (SAXException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return sf;
}
public static DocumentBuilderFactory allowExternalDTDAccess(DocumentBuilderFactory dbf, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
}
return dbf;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
}
return dbf;
}
try {
dbf.setAttribute(ACCESS_EXTERNAL_DTD, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
}
} catch (IllegalArgumentException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return dbf;
}
public static XMLReader allowExternalDTDAccess(XMLReader xmlReader, String value, boolean disableSecureProcessing) {
SessionLog logger = AbstractSessionLog.getLog();
// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
if (isXMLSecurityDisabled(disableSecureProcessing)) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
}
return xmlReader;
}
if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
}
return xmlReader;
}
try {
xmlReader.setProperty(ACCESS_EXTERNAL_DTD, value);
if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
}
} catch (SAXException ignored) {
// nothing to do; support depends on version JDK or SAX implementation
if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
}
}
return xmlReader;
}
}