# HG changeset patch # User aefimov # Date 1498338640 -3600 # Node ID d72565e4d8cfd8ed07fb515172e610c0dab911b4 # Parent a865459049fb10da70eba36fbfed245e486ee869 8182054: Improve wsdl support Summary: Also reviewed by Roman Grigoriadi Reviewed-by: joehw, lancea diff -r a865459049fb -r d72565e4d8cf jaxws/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java --- a/jaxws/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Jun 22 18:42:46 2017 +0000 +++ b/jaxws/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Sat Jun 24 22:10:40 2017 +0100 @@ -84,6 +84,14 @@ private final static String LEXICAL_HANDLER_PROPERTY = "http://xml.org/sax/properties/lexical-handler"; + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; + + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; + + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; + + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; @@ -327,10 +335,24 @@ public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); + boolean securityOn = !xmlSecurityDisabled(disableSecurity); + factory.setFeature(featureToSet, securityOn); + factory.setNamespaceAware(true); + if (securityOn) { + factory.setExpandEntityReferences(false); + featureToSet = DISALLOW_DOCTYPE_DECL; + factory.setFeature(featureToSet, true); + featureToSet = EXTERNAL_GE; + factory.setFeature(featureToSet, false); + featureToSet = EXTERNAL_PE; + factory.setFeature(featureToSet, false); + featureToSet = LOAD_EXTERNAL_DTD; + factory.setFeature(featureToSet, false); + } } catch (ParserConfigurationException e) { - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); } return factory; } @@ -347,10 +369,23 @@ public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { SAXParserFactory factory = SAXParserFactory.newInstance(); + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); + boolean securityOn = !xmlSecurityDisabled(disableSecurity); + factory.setFeature(featureToSet, securityOn); + factory.setNamespaceAware(true); + if (securityOn) { + featureToSet = DISALLOW_DOCTYPE_DECL; + factory.setFeature(featureToSet, true); + featureToSet = EXTERNAL_GE; + factory.setFeature(featureToSet, false); + featureToSet = EXTERNAL_PE; + factory.setFeature(featureToSet, false); + featureToSet = LOAD_EXTERNAL_DTD; + factory.setFeature(featureToSet, false); + } } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); } return factory; } diff -r a865459049fb -r d72565e4d8cf jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java --- a/jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Thu Jun 22 18:42:46 2017 +0000 +++ b/jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Sat Jun 24 22:10:40 2017 +0100 @@ -112,29 +112,13 @@ this.entityResolver = entityResolver; this.errorReceiver = errReceiver; this.logic = logic; - try { - // secure xml processing can be switched off if input requires it - boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity; - DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(!secureProcessingEnabled); - dbf.setNamespaceAware(true); - this.documentBuilder = dbf.newDocumentBuilder(); - - this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled); - this.parserFactory.setNamespaceAware(true); + // secure xml processing can be switched off if input requires it + boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity; - if(secureProcessingEnabled){ - dbf.setExpandEntityReferences(false); - try { - parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); - parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - } catch (SAXNotRecognizedException e){ - throw new ParserConfigurationException(e.getMessage()); - } catch (SAXNotSupportedException e) { - throw new ParserConfigurationException(e.getMessage()); - } - } - + DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity); + this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity); + try { + this.documentBuilder = dbf.newDocumentBuilder(); } catch (ParserConfigurationException e) { throw new AssertionError(e); }