Merge
authorchegar
Fri, 11 Oct 2013 19:49:44 +0100
changeset 20975 298d79f9a705
parent 20958 999299ff7393 (current diff)
parent 20974 abec632002bc (diff)
child 20976 bb128fd25c3c
Merge
jaxp/src/com/sun/org/apache/xerces/internal/parsers/DTDConfiguration.java
jaxp/src/com/sun/org/apache/xerces/internal/parsers/NonValidatingConfiguration.java
jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java
jaxp/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java
--- a/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java	Fri Oct 11 19:49:44 2013 +0100
@@ -39,6 +39,116 @@
     //
     // Constants
     //
+    //Xerces security manager
+    public static final String SECURITY_MANAGER =
+            "http://apache.org/xml/properties/security-manager";
+
+    //
+    // Implementation limits: API properties
+    //
+    /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */
+    public static final String ORACLE_JAXP_PROPERTY_PREFIX =
+        "http://www.oracle.com/xml/jaxp/properties/";
+    /**
+     * JDK entity expansion limit; Note that the existing system property
+     * "entityExpansionLimit" with no prefix is still observed
+     */
+    public static final String JDK_ENTITY_EXPANSION_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "entityExpansionLimit";
+
+    /**
+     * JDK element attribute limit; Note that the existing system property
+     * "elementAttributeLimit" with no prefix is still observed
+     */
+    public static final String JDK_ELEMENT_ATTRIBUTE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "elementAttributeLimit";
+
+    /**
+     * JDK maxOccur limit; Note that the existing system property
+     * "maxOccurLimit" with no prefix is still observed
+     */
+    public static final String JDK_MAX_OCCUR_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxOccurLimit";
+
+    /**
+     * JDK total entity size limit
+     */
+    public static final String JDK_TOTAL_ENTITY_SIZE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "totalEntitySizeLimit";
+
+    /**
+     * JDK maximum general entity size limit
+     */
+    public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit";
+    /**
+     * JDK maximum parameter entity size limit
+     */
+    public static final String JDK_PARAMETER_ENTITY_SIZE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxParameterEntitySizeLimit";
+    /**
+     * JDK maximum XML name limit
+     */
+    public static final String JDK_XML_NAME_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+    /**
+     * JDK property indicating whether the parser shall print out entity
+     * count information
+     * Value: a string "yes" means print, "no" or any other string means not.
+     */
+    public static final String JDK_ENTITY_COUNT_INFO =
+            ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo";
+
+    //
+    // Implementation limits: corresponding System Properties of the above
+    // API properties
+    //
+    /**
+     * JDK entity expansion limit; Note that the existing system property
+     * "entityExpansionLimit" with no prefix is still observed
+     */
+    public static final String SP_ENTITY_EXPANSION_LIMIT = "jdk.xml.entityExpansionLimit";
+
+    /**
+     * JDK element attribute limit; Note that the existing system property
+     * "elementAttributeLimit" with no prefix is still observed
+     */
+    public static final String SP_ELEMENT_ATTRIBUTE_LIMIT =  "jdk.xml.elementAttributeLimit";
+
+    /**
+     * JDK maxOccur limit; Note that the existing system property
+     * "maxOccurLimit" with no prefix is still observed
+     */
+    public static final String SP_MAX_OCCUR_LIMIT = "jdk.xml.maxOccurLimit";
+
+    /**
+     * JDK total entity size limit
+     */
+    public static final String SP_TOTAL_ENTITY_SIZE_LIMIT = "jdk.xml.totalEntitySizeLimit";
+
+    /**
+     * JDK maximum general entity size limit
+     */
+    public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
+    /**
+     * JDK maximum parameter entity size limit
+     */
+    public static final String SP_PARAMETER_ENTITY_SIZE_LIMIT = "jdk.xml.maxParameterEntitySizeLimit";
+    /**
+     * JDK maximum XML name limit
+     */
+    public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
+
+    //legacy System Properties
+    public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
+    public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
+    public final static String MAX_OCCUR_LIMIT = "maxOccurLimit";
+
+    /**
+     * A string "yes" that can be used for properties such as getEntityCountInfo
+     */
+    public static final String JDK_YES = "yes";
+
     // Oracle Feature:
     /**
      * <p>Use Service Mechanism</p>
@@ -51,21 +161,16 @@
          *   <li>
          * {@code false} instruct an object to skip service mechanism and
          * use the default implementation for that service.
-     *   </li>
-     * </ul>
-    */
-
+         *   </li>
+         * </ul>
+         */
     public static final String ORACLE_FEATURE_SERVICE_MECHANISM = "http://www.oracle.com/feature/use-service-mechanism";
 
-    /** Oracle JAXP property prefix ("http://www.oracle.com/xml/jaxp/properties/"). */
-    public static final String ORACLE_JAXP_PROPERTY_PREFIX =
-        "http://www.oracle.com/xml/jaxp/properties/";
 
     //System Properties corresponding to ACCESS_EXTERNAL_* properties
     public static final String SP_ACCESS_EXTERNAL_STYLESHEET = "javax.xml.accessExternalStylesheet";
     public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
 
-
     //all access keyword
     public static final String ACCESS_EXTERNAL_ALL = "all";
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -0,0 +1,449 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package com.sun.org.apache.xalan.internal.utils;
+
+import com.sun.org.apache.xalan.internal.XalanConstants;
+
+
+/**
+ * This class is not the same as that in Xerces. It is used to manage the
+ * state of corresponding Xerces properties and pass the values over to
+ * the Xerces Security Manager.
+ *
+ * @author Joe Wang Oracle Corp.
+ *
+ */
+public final class XMLSecurityManager {
+
+    /**
+     * States of the settings of a property, in the order: default value, value
+     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+     * properties, and jaxp api properties
+     */
+    public static enum State {
+        //this order reflects the overriding order
+
+        DEFAULT("default"), FSP("FEATURE_SECURE_PROCESSING"),
+        JAXPDOTPROPERTIES("jaxp.properties"), SYSTEMPROPERTY("system property"),
+        APIPROPERTY("property");
+
+        final String literal;
+        State(String literal) {
+            this.literal = literal;
+        }
+
+        String literal() {
+            return literal;
+        }
+    }
+
+    /**
+     * Limits managed by the security manager
+     */
+    public static enum Limit {
+
+        ENTITY_EXPANSION_LIMIT(XalanConstants.JDK_ENTITY_EXPANSION_LIMIT,
+                XalanConstants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000),
+        MAX_OCCUR_NODE_LIMIT(XalanConstants.JDK_MAX_OCCUR_LIMIT,
+                XalanConstants.SP_MAX_OCCUR_LIMIT, 0, 5000),
+        ELEMENT_ATTRIBUTE_LIMIT(XalanConstants.JDK_ELEMENT_ATTRIBUTE_LIMIT,
+                XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
+        TOTAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_TOTAL_ENTITY_SIZE_LIMIT,
+                XalanConstants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
+        GENEAL_ENTITY_SIZE_LIMIT(XalanConstants.JDK_GENEAL_ENTITY_SIZE_LIMIT,
+                XalanConstants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0),
+        PARAMETER_ENTITY_SIZE_LIMIT(XalanConstants.JDK_PARAMETER_ENTITY_SIZE_LIMIT,
+                XalanConstants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+
+        final String apiProperty;
+        final String systemProperty;
+        final int defaultValue;
+        final int secureValue;
+
+        Limit(String apiProperty, String systemProperty, int value, int secureValue) {
+            this.apiProperty = apiProperty;
+            this.systemProperty = systemProperty;
+            this.defaultValue = value;
+            this.secureValue = secureValue;
+        }
+
+        public boolean equalsAPIPropertyName(String propertyName) {
+            return (propertyName == null) ? false : apiProperty.equals(propertyName);
+        }
+
+        public boolean equalsSystemPropertyName(String propertyName) {
+            return (propertyName == null) ? false : systemProperty.equals(propertyName);
+        }
+
+        public String apiProperty() {
+            return apiProperty;
+        }
+
+        String systemProperty() {
+            return systemProperty;
+        }
+
+        int defaultValue() {
+            return defaultValue;
+        }
+
+        int secureValue() {
+            return secureValue;
+        }
+    }
+
+    /**
+     * Map old property names with the new ones
+     */
+    public static enum NameMap {
+
+        ENTITY_EXPANSION_LIMIT(XalanConstants.SP_ENTITY_EXPANSION_LIMIT,
+                XalanConstants.ENTITY_EXPANSION_LIMIT),
+        MAX_OCCUR_NODE_LIMIT(XalanConstants.SP_MAX_OCCUR_LIMIT,
+                XalanConstants.MAX_OCCUR_LIMIT),
+        ELEMENT_ATTRIBUTE_LIMIT(XalanConstants.SP_ELEMENT_ATTRIBUTE_LIMIT,
+                XalanConstants.ELEMENT_ATTRIBUTE_LIMIT);
+        final String newName;
+        final String oldName;
+
+        NameMap(String newName, String oldName) {
+            this.newName = newName;
+            this.oldName = oldName;
+        }
+
+        String getOldName(String newName) {
+            if (newName.equals(this.newName)) {
+                return oldName;
+            }
+            return null;
+        }
+    }
+    /**
+     * Values of the properties
+     */
+    private final int[] values;
+    /**
+     * States of the settings for each property
+     */
+    private State[] states;
+    /**
+     * States that determine if properties are set explicitly
+     */
+    private boolean[] isSet;
+
+
+    /**
+     * Index of the special entityCountInfo property
+     */
+    private int indexEntityCountInfo = 10000;
+    private String printEntityCountInfo = "";
+
+    /**
+     * Default constructor. Establishes default values for known security
+     * vulnerabilities.
+     */
+    public XMLSecurityManager() {
+        this(false);
+    }
+
+    /**
+     * Instantiate Security Manager in accordance with the status of
+     * secure processing
+     * @param secureProcessing
+     */
+    public XMLSecurityManager(boolean secureProcessing) {
+        values = new int[Limit.values().length];
+        states = new State[Limit.values().length];
+        isSet = new boolean[Limit.values().length];
+        for (Limit limit : Limit.values()) {
+            if (secureProcessing) {
+                values[limit.ordinal()] = limit.secureValue();
+                states[limit.ordinal()] = State.FSP;
+            } else {
+                values[limit.ordinal()] = limit.defaultValue();
+                states[limit.ordinal()] = State.DEFAULT;
+            }
+        }
+        //read system properties or jaxp.properties
+        readSystemProperties();
+    }
+
+    /**
+     * Setting FEATURE_SECURE_PROCESSING explicitly
+     */
+    public void setSecureProcessing(boolean secure) {
+        for (Limit limit : Limit.values()) {
+            if (secure) {
+                setLimit(limit.ordinal(), State.FSP, limit.secureValue());
+            } else {
+                setLimit(limit.ordinal(), State.FSP, limit.defaultValue());
+            }
+        }
+    }
+
+    /**
+     * Set limit by property name and state
+     * @param propertyName property name
+     * @param state the state of the property
+     * @param value the value of the property
+     * @return true if the property is managed by the security manager; false
+     *              if otherwise.
+     */
+    public boolean setLimit(String propertyName, State state, Object value) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            setLimit(index, state, value);
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Set the value for a specific limit.
+     *
+     * @param limit the limit
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(Limit limit, State state, int value) {
+        setLimit(limit.ordinal(), state, value);
+    }
+
+    /**
+     * Set the value of a property by its index
+     *
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(int index, State state, Object value) {
+        if (index == indexEntityCountInfo) {
+            //if it's explicitly set, it's treated as yes no matter the value
+            printEntityCountInfo = (String)value;
+        } else {
+            int temp = 0;
+            try {
+                temp = Integer.parseInt((String) value);
+                if (temp < 0) {
+                    temp = 0;
+                }
+            } catch (NumberFormatException e) {}
+            setLimit(index, state, temp);        }
+    }
+
+    /**
+     * Set the value of a property by its index
+     *
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(int index, State state, int value) {
+        if (index == indexEntityCountInfo) {
+            //if it's explicitly set, it's treated as yes no matter the value
+            printEntityCountInfo = XalanConstants.JDK_YES;
+        } else {
+            //only update if it shall override
+            if (state.compareTo(states[index]) >= 0) {
+                values[index] = value;
+                states[index] = state;
+                isSet[index] = true;
+            }
+        }
+    }
+
+
+    /**
+     * Return the value of the specified property.
+     *
+     * @param propertyName the property name
+     * @return the value of the property as a string. If a property is managed
+     * by this manager, its value shall not be null.
+     */
+    public String getLimitAsString(String propertyName) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            return getLimitValueByIndex(index);
+        }
+
+        return null;
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     *
+     * @param limit the property
+     * @return value of a property
+     */
+    public String getLimitValueAsString(Limit limit) {
+        return Integer.toString(values[limit.ordinal()]);
+    }
+
+    /**
+     * Return the value of the specified property
+     *
+     * @param limit the property
+     * @return the value of the property
+     */
+    public int getLimit(Limit limit) {
+        return values[limit.ordinal()];
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     *
+     * @param index the index of a property
+     * @return value of a property
+     */
+    public int getLimitByIndex(int index) {
+        return values[index];
+    }
+    /**
+     * Return the value of a property by its index
+     *
+     * @param index the index of a property
+     * @return limit of a property as a string
+     */
+    public String getLimitValueByIndex(int index) {
+        if (index == indexEntityCountInfo) {
+            return printEntityCountInfo;
+        }
+
+        return Integer.toString(values[index]);
+    }
+    /**
+     * Return the state of the limit property
+     *
+     * @param limit the limit
+     * @return the state of the limit property
+     */
+    public State getState(Limit limit) {
+        return states[limit.ordinal()];
+    }
+
+    /**
+     * Return the state of the limit property
+     *
+     * @param limit the limit
+     * @return the state of the limit property
+     */
+    public String getStateLiteral(Limit limit) {
+        return states[limit.ordinal()].literal();
+    }
+
+    /**
+     * Get the index by property name
+     *
+     * @param propertyName property name
+     * @return the index of the property if found; return -1 if not
+     */
+    public int getIndex(String propertyName) {
+        for (Limit limit : Limit.values()) {
+            if (limit.equalsAPIPropertyName(propertyName)) {
+                //internally, ordinal is used as index
+                return limit.ordinal();
+            }
+        }
+        //special property to return entity count info
+        if (propertyName.equals(XalanConstants.JDK_ENTITY_COUNT_INFO)) {
+            return indexEntityCountInfo;
+        }
+        return -1;
+    }
+
+    /**
+     * Indicate if a property is set explicitly
+     * @param index
+     * @return
+     */
+    public boolean isSet(int index) {
+        return isSet[index];
+    }
+
+    public boolean printEntityCountInfo() {
+        return printEntityCountInfo.equals(XalanConstants.JDK_YES);
+    }
+    /**
+     * Read from system properties, or those in jaxp.properties
+     */
+    private void readSystemProperties() {
+
+        for (Limit limit : Limit.values()) {
+            if (!getSystemProperty(limit, limit.systemProperty())) {
+                //if system property is not found, try the older form if any
+                for (NameMap nameMap : NameMap.values()) {
+                    String oldName = nameMap.getOldName(limit.systemProperty());
+                    if (oldName != null) {
+                        getSystemProperty(limit, oldName);
+                    }
+                }
+            }
+        }
+
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     *
+     * @param property the type of the property
+     * @param sysPropertyName the name of system property
+     */
+    private boolean getSystemProperty(Limit limit, String sysPropertyName) {
+        try {
+            String value = SecuritySupport.getSystemProperty(sysPropertyName);
+            if (value != null && !value.equals("")) {
+                values[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.SYSTEMPROPERTY;
+                return true;
+            }
+
+            value = SecuritySupport.readJAXPProperty(sysPropertyName);
+            if (value != null && !value.equals("")) {
+                values[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
+                return true;
+            }
+        } catch (NumberFormatException e) {
+            //invalid setting
+            throw new NumberFormatException("Invalid setting for system property: " + limit.systemProperty());
+        }
+        return false;
+    }
+}
--- a/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -94,6 +94,23 @@
     }
 
     /**
+     * Set limit by property name and state
+     * @param propertyName property name
+     * @param state the state of the property
+     * @param value the value of the property
+     * @return true if the property is managed by the security property manager;
+     *         false if otherwise.
+     */
+    public boolean setValue(String propertyName, State state, Object value) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            setValue(index, state, (String)value);
+            return true;
+        }
+        return false;
+    }
+
+    /**
      * Set the value for a specific property.
      *
      * @param property the property
@@ -121,6 +138,22 @@
             states[index] = state;
         }
     }
+
+    /**
+     * Return the value of the specified property
+     *
+     * @param propertyName the property name
+     * @return the value of the property as a string
+     */
+    public String getValue(String propertyName) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            return getValueByIndex(index);
+        }
+
+        return null;
+    }
+
     /**
      * Return the value of the specified property
      *
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Import.java	Fri Oct 11 19:49:44 2013 +0100
@@ -86,7 +86,7 @@
             if (input == null) {
                 docToLoad = SystemIDResolver.getAbsoluteURI(docToLoad, currLoadedDoc);
                 String accessError = SecuritySupport.checkAccess(docToLoad,
-                        xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
+                        (String)xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
                         XalanConstants.ACCESS_EXTERNAL_ALL);
 
                 if (accessError != null) {
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Include.java	Fri Oct 11 19:49:44 2013 +0100
@@ -87,7 +87,7 @@
             if (input == null) {
                 docToLoad = SystemIDResolver.getAbsoluteURI(docToLoad, currLoadedDoc);
                 String accessError = SecuritySupport.checkAccess(docToLoad,
-                        xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
+                        (String)xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
                         XalanConstants.ACCESS_EXTERNAL_ALL);
 
                 if (accessError != null) {
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/Parser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -28,6 +28,7 @@
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
 import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
 import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.MethodType;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Type;
@@ -487,6 +488,20 @@
             }
 
             final XMLReader reader = parser.getXMLReader();
+            try {
+                XMLSecurityManager securityManager =
+                        (XMLSecurityManager)_xsltc.getProperty(XalanConstants.SECURITY_MANAGER);
+                for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
+                    reader.setProperty(limit.apiProperty(), securityManager.getLimitValueAsString(limit));
+                }
+                if (securityManager.printEntityCountInfo()) {
+                    parser.setProperty(XalanConstants.JDK_ENTITY_COUNT_INFO, XalanConstants.JDK_YES);
+                }
+            } catch (SAXException se) {
+                System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                            + se.getMessage());
+            }
+
             return(parse(reader, input));
         }
         catch (ParserConfigurationException e) {
@@ -565,7 +580,7 @@
                 }
                 path = SystemIDResolver.getAbsoluteURI(path);
                 String accessError = SecuritySupport.checkAccess(path,
-                        _xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
+                        (String)_xsltc.getProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET),
                         XalanConstants.ACCESS_EXTERNAL_ALL);
                 if (accessError != null) {
                     ErrorMsg msg = new ErrorMsg(ErrorMsg.ACCESSING_XSLT_TARGET_ERR,
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/compiler/XSLTC.java	Fri Oct 11 19:49:44 2013 +0100
@@ -44,11 +44,11 @@
 import com.sun.org.apache.bcel.internal.classfile.JavaClass;
 import com.sun.org.apache.xalan.internal.XalanConstants;
 import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.Util;
 import com.sun.org.apache.xml.internal.dtm.DTM;
 
-import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
 import org.xml.sax.InputSource;
 import org.xml.sax.XMLReader;
 
@@ -146,6 +146,7 @@
      */
     private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
 
+    private XMLSecurityManager _xmlSecurityManager;
 
     /**
      * XSLTC compiler constructor
@@ -184,12 +185,14 @@
     /**
      * Return allowed protocols for accessing external stylesheet.
      */
-    public String getProperty(String name) {
+    public Object getProperty(String name) {
         if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
             return _accessExternalStylesheet;
         }
         else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
             return _accessExternalDTD;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            return _xmlSecurityManager;
         }
         return null;
     }
@@ -197,12 +200,14 @@
     /**
      * Set allowed protocols for accessing external stylesheet.
      */
-    public void setProperty(String name, String value) {
+    public void setProperty(String name, Object value) {
         if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
             _accessExternalStylesheet = (String)value;
         }
         else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
             _accessExternalDTD = (String)value;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            _xmlSecurityManager = (XMLSecurityManager)value;
         }
     }
 
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TemplatesHandlerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -29,7 +29,7 @@
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.URIResolver;
 import javax.xml.transform.sax.TemplatesHandler;
-
+import com.sun.org.apache.xalan.internal.XalanConstants;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.CompilerException;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.Parser;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader;
@@ -103,6 +103,8 @@
                 (String)tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET));
         xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
                 (String)tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD));
+        xsltc.setProperty(XalanConstants.SECURITY_MANAGER,
+                tfactory.getAttribute(XalanConstants.SECURITY_MANAGER));
 
 
         if ("true".equals(tfactory.getAttribute(TransformerFactoryImpl.ENABLE_INLINING)))
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -27,6 +27,7 @@
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
 import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
 import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property;
 import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State;
@@ -218,13 +219,13 @@
      * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
      */
     private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
-
      /**
      * protocols allowed for external DTD references in source file and/or stylesheet.
      */
     private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
 
     private XMLSecurityPropertyManager _xmlSecurityPropertyMgr;
+    private XMLSecurityManager _xmlSecurityManager;
 
     /**
      * javax.xml.transform.sax.TransformerFactory implementation.
@@ -250,6 +251,9 @@
                 Property.ACCESS_EXTERNAL_DTD);
         _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
                 Property.ACCESS_EXTERNAL_STYLESHEET);
+
+        //Parser's security manager
+        _xmlSecurityManager = new XMLSecurityManager(true);
     }
 
     /**
@@ -311,11 +315,21 @@
               return Boolean.TRUE;
             else
               return Boolean.FALSE;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            return _xmlSecurityManager;
         }
 
-        int index = _xmlSecurityPropertyMgr.getIndex(name);
-        if (index > -1) {
-            return _xmlSecurityPropertyMgr.getValueByIndex(index);
+        /** Check to see if the property is managed by the security manager **/
+        String propertyValue = (_xmlSecurityManager != null) ?
+                _xmlSecurityManager.getLimitAsString(name) : null;
+        if (propertyValue != null) {
+            return propertyValue;
+        } else {
+            propertyValue = (_xmlSecurityPropertyMgr != null) ?
+                _xmlSecurityPropertyMgr.getValue(name) : null;
+            if (propertyValue != null) {
+                return propertyValue;
+            }
         }
 
         // Throw an exception for all other attributes
@@ -419,10 +433,13 @@
             }
         }
 
-        int index = _xmlSecurityPropertyMgr.getIndex(name);
-        if (index > -1) {
-            _xmlSecurityPropertyMgr.setValue(index,
-                    State.APIPROPERTY, (String)value);
+        if (_xmlSecurityManager != null &&
+                _xmlSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) {
+            return;
+        }
+
+        if (_xmlSecurityPropertyMgr != null &&
+            _xmlSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
             _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
                     Property.ACCESS_EXTERNAL_DTD);
             _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
@@ -473,6 +490,7 @@
                 throw new TransformerConfigurationException(err.toString());
             }
             _isNotSecureProcessing = !value;
+            _xmlSecurityManager.setSecureProcessing(value);
 
             // set external access restriction when FSP is explicitly set
             if (value && XalanConstants.IS_JDK8_OR_ABOVE) {
@@ -849,6 +867,7 @@
         if (!_isNotSecureProcessing) xsltc.setSecureProcessing(true);
         xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, _accessExternalStylesheet);
         xsltc.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
+        xsltc.setProperty(XalanConstants.SECURITY_MANAGER, _xmlSecurityManager);
         xsltc.init();
 
         // Set a document loader (for xsl:include/import) if defined
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -25,6 +25,7 @@
 
 import com.sun.org.apache.xalan.internal.XalanConstants;
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
@@ -214,6 +215,7 @@
      */
     private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
 
+    private XMLSecurityManager _securityManager;
     /**
      * A hashtable to store parameters for the identity transform. These
      * are not needed during the transformation, but we must keep track of
@@ -269,8 +271,11 @@
         _useServicesMechanism = _tfactory.useServicesMechnism();
         _accessExternalStylesheet = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET);
         _accessExternalDTD = (String)_tfactory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
+        _securityManager = (XMLSecurityManager)_tfactory.getAttribute(XalanConstants.SECURITY_MANAGER);
         _readerManager = XMLReaderManager.getInstance(_useServicesMechanism);
         _readerManager.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
+        _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing);
+        _readerManager.setProperty(XalanConstants.SECURITY_MANAGER, _securityManager);
         //_isIncremental = tfactory._incremental;
     }
 
@@ -286,6 +291,7 @@
      */
     public void setSecureProcessing(boolean flag) {
         _isSecureProcessing = flag;
+        _readerManager.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _isSecureProcessing);
     }
     /**
      * Return the state of the services mechanism feature.
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/Util.java	Fri Oct 11 19:49:44 2013 +0100
@@ -23,6 +23,7 @@
 
 package com.sun.org.apache.xalan.internal.xsltc.trax;
 
+import com.sun.org.apache.xalan.internal.XalanConstants;
 import java.io.InputStream;
 import java.io.Reader;
 
@@ -43,6 +44,7 @@
 import javax.xml.transform.stream.StreamSource;
 
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.util.ErrorMsg;
 
@@ -105,6 +107,13 @@
                     if (reader == null) {
                        try {
                            reader= XMLReaderFactory.createXMLReader();
+                           try {
+                                reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                                            xsltc.isSecureProcessing());
+                           } catch (SAXNotRecognizedException e) {
+                                System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                                        + e.getMessage());
+                           }
                        } catch (Exception e ) {
                            try {
 
@@ -144,6 +153,22 @@
                                 + e.getMessage());
                     }
 
+                    try {
+                        XMLSecurityManager securityManager =
+                                (XMLSecurityManager)xsltc.getProperty(XalanConstants.SECURITY_MANAGER);
+                        if (securityManager != null) {
+                            for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
+                                reader.setProperty(limit.apiProperty(),
+                                        securityManager.getLimitValueAsString(limit));
+                            }
+                            if (securityManager.printEntityCountInfo()) {
+                                reader.setProperty(XalanConstants.JDK_ENTITY_COUNT_INFO, XalanConstants.JDK_YES);
+                            }
+                        }
+                    } catch (SAXException se) {
+                        System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                                    + se.getMessage());
+                    }
                     xsltc.setXMLReader(reader);
                 }catch (SAXNotRecognizedException snre ) {
                   throw new TransformerConfigurationException
--- a/jaxp/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -33,6 +33,7 @@
 import com.sun.org.apache.xerces.internal.util.PropertyState;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
@@ -59,6 +60,7 @@
 import org.w3c.dom.ls.LSResourceResolver;
 
 
+
 /**
  * Xerces implementation of DOMConfiguration that maintains a table of recognized parameters.
  *
@@ -156,6 +158,9 @@
     protected static final String SCHEMA_DV_FACTORY =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
 
+    /** Property identifier: Security manager. */
+    private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
+
     /** Property identifier: Security property manager. */
     private static final String XML_SECURITY_PROPERTY_MANAGER =
             Constants.XML_SECURITY_PROPERTY_MANAGER;
@@ -279,6 +284,7 @@
             JAXP_SCHEMA_LANGUAGE,
             DTD_VALIDATOR_FACTORY_PROPERTY,
             SCHEMA_DV_FACTORY,
+            SECURITY_MANAGER,
             XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
@@ -313,6 +319,8 @@
         fValidationManager = createValidationManager();
         setProperty(VALIDATION_MANAGER, fValidationManager);
 
+        setProperty(SECURITY_MANAGER, new XMLSecurityManager(true));
+
         setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
                 new XMLSecurityPropertyManager());
 
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java	Fri Oct 11 19:49:44 2013 +0100
@@ -174,8 +174,6 @@
     /** JAXP schemaSource language: when used internally may include DTD namespace (DOM) */
     public static final String SCHEMA_LANGUAGE = "schemaLanguage";
 
-    public static final String SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
-
     /** JAXP Standard property prefix ("http://javax.xml.XMLConstants/property/"). */
     public static final String JAXPAPI_PROPERTY_PREFIX =
         "http://javax.xml.XMLConstants/property/";
@@ -209,6 +207,107 @@
     public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
 
     //
+    // Implementation limits: corresponding System Properties of the above
+    // API properties
+    //
+    /**
+     * JDK entity expansion limit; Note that the existing system property
+     * "entityExpansionLimit" with no prefix is still observed
+     */
+    public static final String JDK_ENTITY_EXPANSION_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "entityExpansionLimit";
+
+    /**
+     * JDK element attribute limit; Note that the existing system property
+     * "elementAttributeLimit" with no prefix is still observed
+     */
+    public static final String JDK_ELEMENT_ATTRIBUTE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "elementAttributeLimit";
+
+    /**
+     * JDK maxOccur limit; Note that the existing system property
+     * "maxOccurLimit" with no prefix is still observed
+     */
+    public static final String JDK_MAX_OCCUR_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxOccurLimit";
+
+    /**
+     * JDK total entity size limit
+     */
+    public static final String JDK_TOTAL_ENTITY_SIZE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "totalEntitySizeLimit";
+
+    /**
+     * JDK maximum general entity size limit
+     */
+    public static final String JDK_GENEAL_ENTITY_SIZE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxGeneralEntitySizeLimit";
+    /**
+     * JDK maximum parameter entity size limit
+     */
+    public static final String JDK_PARAMETER_ENTITY_SIZE_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxParameterEntitySizeLimit";
+    /**
+     * JDK maximum XML name limit
+     */
+    public static final String JDK_XML_NAME_LIMIT =
+            ORACLE_JAXP_PROPERTY_PREFIX + "maxXMLNameLimit";
+    /**
+     * JDK property to allow printing out information from the limit analyzer
+     */
+    public static final String JDK_ENTITY_COUNT_INFO =
+            ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo";
+
+    //
+    // Implementation limits: API properties
+    //
+    /**
+     * JDK entity expansion limit; Note that the existing system property
+     * "entityExpansionLimit" with no prefix is still observed
+     */
+    public static final String SP_ENTITY_EXPANSION_LIMIT = "jdk.xml.entityExpansionLimit";
+
+    /**
+     * JDK element attribute limit; Note that the existing system property
+     * "elementAttributeLimit" with no prefix is still observed
+     */
+    public static final String SP_ELEMENT_ATTRIBUTE_LIMIT =  "jdk.xml.elementAttributeLimit";
+
+    /**
+     * JDK maxOccur limit; Note that the existing system property
+     * "maxOccurLimit" with no prefix is still observed
+     */
+    public static final String SP_MAX_OCCUR_LIMIT = "jdk.xml.maxOccurLimit";
+
+    /**
+     * JDK total entity size limit
+     */
+    public static final String SP_TOTAL_ENTITY_SIZE_LIMIT = "jdk.xml.totalEntitySizeLimit";
+
+    /**
+     * JDK maximum general entity size limit
+     */
+    public static final String SP_GENEAL_ENTITY_SIZE_LIMIT = "jdk.xml.maxGeneralEntitySizeLimit";
+    /**
+     * JDK maximum parameter entity size limit
+     */
+    public static final String SP_PARAMETER_ENTITY_SIZE_LIMIT = "jdk.xml.maxParameterEntitySizeLimit";
+    /**
+     * JDK maximum XML name limit
+     */
+    public static final String SP_XML_NAME_LIMIT = "jdk.xml.maxXMLNameLimit";
+
+    //legacy System Properties
+    public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
+    public static final String ELEMENT_ATTRIBUTE_LIMIT = "elementAttributeLimit" ;
+    public final static String MAX_OCCUR_LIMIT = "maxOccurLimit";
+
+    /**
+     * A string "yes" that can be used for properties such as getEntityCountInfo
+     */
+    public static final String JDK_YES = "yes";
+
+    //
     // DOM features
     //
 
@@ -443,7 +542,7 @@
     public static final String LOCALE_PROPERTY = "locale";
 
     /** property identifier: security manager. */
-    protected static final String SECURITY_MANAGER =
+    public static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
 
@@ -511,9 +610,6 @@
      */
     public final static String ATTRIBUTE_DECLARED = "ATTRIBUTE_DECLARED";
 
-        public final static String ENTITY_EXPANSION_LIMIT = "entityExpansionLimit";
-
-        public final static String MAX_OCCUR_LIMIT = "maxOccurLimit";
 
     /**
      * {@link org.w3c.dom.TypeInfo} associated with current element/attribute
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -25,6 +25,7 @@
 
 package com.sun.org.apache.xerces.internal.impl;
 
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.xml.internal.stream.StaxEntityResolverWrapper;
 import java.util.HashMap;
@@ -50,12 +51,16 @@
 
     private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning";
 
+    /** Property identifier: Security manager. */
+    private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
+
     /** Property identifier: Security property manager. */
     private static final String XML_SECURITY_PROPERTY_MANAGER =
             Constants.XML_SECURITY_PROPERTY_MANAGER;
 
     HashMap supportedProps = new HashMap();
 
+    private XMLSecurityManager fSecurityManager;
     private XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     public static final int CONTEXT_READER = 1;
@@ -82,6 +87,7 @@
 
         HashMap properties = propertyManager.getProperties();
         supportedProps.putAll(properties);
+        fSecurityManager = (XMLSecurityManager)getProperty(SECURITY_MANAGER);
         fSecurityPropertyMgr = (XMLSecurityPropertyManager)getProperty(XML_SECURITY_PROPERTY_MANAGER);
     }
 
@@ -124,6 +130,8 @@
         supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false));
         supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false));
 
+        fSecurityManager = new XMLSecurityManager(true);
+        supportedProps.put(SECURITY_MANAGER, fSecurityManager);
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
         supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
     }
@@ -142,6 +150,7 @@
      */
     public boolean containsProperty(String property){
         return supportedProps.containsKey(property) ||
+                (fSecurityManager != null && fSecurityManager.getIndex(property) > -1) ||
                 (fSecurityPropertyMgr!=null && fSecurityPropertyMgr.getIndex(property) > -1) ;
     }
 
@@ -169,12 +178,34 @@
             supportedProps.put( Constants.XERCES_PROPERTY_PREFIX + Constants.STAX_ENTITY_RESOLVER_PROPERTY , new StaxEntityResolverWrapper((XMLResolver)value)) ;
         }
 
-        int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(property) : -1;
-        if (index > -1) {
-            fSecurityPropertyMgr.setValue(index,
-                    XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
-        } else {
-            supportedProps.put(property, value);
+        /**
+         * It's possible for users to set a security manager through the interface.
+         * If it's the old SecurityManager, convert it to the new XMLSecurityManager
+         */
+        if (property.equals(Constants.SECURITY_MANAGER)) {
+            fSecurityManager = XMLSecurityManager.convert(value, fSecurityManager);
+            supportedProps.put(Constants.SECURITY_MANAGER, fSecurityManager);
+            return;
+        }
+        if (property.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (value == null) {
+                fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+            } else {
+                fSecurityPropertyMgr = (XMLSecurityPropertyManager)value;
+            }
+            supportedProps.put(Constants.XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+            return;
+        }
+
+        //check if the property is managed by security manager
+        if (fSecurityManager == null ||
+                !fSecurityManager.setLimit(property, XMLSecurityManager.State.APIPROPERTY, value)) {
+            //check if the property is managed by security property manager
+            if (fSecurityPropertyMgr == null ||
+                    !fSecurityPropertyMgr.setValue(property, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
+                //fall back to the existing property manager
+                supportedProps.put(property, value);
+            }
         }
 
         if(equivalentProperty != null){
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XML11NSDocumentScannerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XML11NSDocumentScannerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -108,6 +108,7 @@
  * @author Elena Litani, IBM
  * @author Michael Glavassevich, IBM
  * @author Sunitha Reddy, Sun Microsystems
+ * @version $Id: XML11NSDocumentScannerImpl.java,v 1.6 2010-11-01 04:39:40 joehw Exp $
  */
 public class XML11NSDocumentScannerImpl extends XML11DocumentScannerImpl {
 
@@ -236,7 +237,8 @@
 
             // attributes
             scanAttribute(fAttributes);
-            if (fSecurityManager != null && fAttributes.getLength() > fElementAttributeLimit){
+            if (fSecurityManager != null && (!fSecurityManager.isNoLimit(fElementAttributeLimit)) &&
+                    fAttributes.getLength() > fElementAttributeLimit){
                 fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,
                                              "ElementAttributeLimit",
                                              new Object[]{rawname, new Integer(fElementAttributeLimit) },
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDTDScannerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -44,6 +44,8 @@
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
 import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
 import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.xml.internal.stream.Entity;
 
 /**
  * This class is responsible for scanning the declarations found
@@ -66,7 +68,7 @@
  * @author Glenn Marcy, IBM
  * @author Eric Ye, IBM
  *
- * @version $Id: XMLDTDScannerImpl.java,v 1.7 2007/09/26 12:52:40 ndw Exp $
+ * @version $Id: XMLDTDScannerImpl.java,v 1.8 2010-11-01 04:39:41 joehw Exp $
  */
 public class XMLDTDScannerImpl
 extends XMLScanner
@@ -1545,7 +1547,7 @@
 
         // internal entity
         if (systemId == null) {
-            scanEntityValue(fLiteral, fLiteral2);
+            scanEntityValue(name, isPEDecl, fLiteral, fLiteral2);
             // since we need it's value anyway, let's snag it so it doesn't get corrupted
             // if a new load takes place before we store the entity values
             fStringBuffer.clear();
@@ -1610,7 +1612,7 @@
      * the use of scanCharReferenceValue), and fStringBuffer2, anything in them
      * at the time of calling is lost.
      */
-    protected final void scanEntityValue(XMLString value,
+    protected final void scanEntityValue(String entityName, boolean isPEDecl, XMLString value,
     XMLString nonNormalizedValue)
     throws IOException, XNIException {
         int quote = fEntityScanner.scanChar();
@@ -1622,10 +1624,20 @@
 
         XMLString literal = fString;
         XMLString literal2 = fString;
+        int countChar = 0;
+        if (fLimitAnalyzer == null && fSecurityManager != null) {
+            fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+            fLimitAnalyzer.startEntity(entityName);
+        }
+
         if (fEntityScanner.scanLiteral(quote, fString) != quote) {
             fStringBuffer.clear();
             fStringBuffer2.clear();
             do {
+                if (isPEDecl && fLimitAnalyzer != null) {
+                    checkLimit("%" + entityName, fString.length + countChar);
+                }
+                countChar = 0;
                 fStringBuffer.append(fString);
                 fStringBuffer2.append(fString);
                 if (fEntityScanner.skipChar('&')) {
@@ -1685,6 +1697,7 @@
                     }
                 }
                 else {
+                    countChar++;
                     int c = fEntityScanner.peekChar();
                     if (XMLChar.isHighSurrogate(c)) {
                         scanSurrogates(fStringBuffer2);
@@ -1708,9 +1721,17 @@
             fStringBuffer2.append(fString);
             literal = fStringBuffer;
             literal2 = fStringBuffer2;
+        } else {
+            if (isPEDecl) {
+                checkLimit("%" + entityName, literal);
+        }
         }
         value.setValues(literal);
         nonNormalizedValue.setValues(literal2);
+        if (fLimitAnalyzer != null) {
+            fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT, entityName);
+        }
+
         if (!fEntityScanner.skipChar(quote)) {
             reportFatalError("CloseQuoteMissingInDecl", null);
         }
@@ -2126,6 +2147,43 @@
         //new SymbolTable());
     }
 
+    /**
+     * Add the count of the content buffer and check if the accumulated
+     * value exceeds the limit
+     * @param entityName entity name
+     * @param buffer content buffer
+     */
+    private void checkLimit(String entityName, XMLString buffer) {
+        checkLimit(entityName, buffer.length);
+    }
+
+    /**
+     * Add the count and check limit
+     * @param entityName entity name
+     * @param len length of the buffer
+     */
+    private void checkLimit(String entityName, int len) {
+        if (fLimitAnalyzer == null) {
+            fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+        }
+        fLimitAnalyzer.addValue(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT, entityName, len);
+        if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT)) {
+                    fSecurityManager.debugPrint();
+            reportFatalError("MaxEntitySizeLimit", new Object[]{entityName,
+                fLimitAnalyzer.getValue(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT),
+                fSecurityManager.getLimit(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT),
+                fSecurityManager.getStateLiteral(XMLSecurityManager.Limit.PARAMETER_ENTITY_SIZE_LIMIT)});
+        }
+        if (fSecurityManager.isOverLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT)) {
+            fSecurityManager.debugPrint();
+            reportFatalError("TotalEntitySizeLimit",
+                new Object[]{fLimitAnalyzer.getTotalValue(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT),
+                fSecurityManager.getLimit(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT),
+                fSecurityManager.getStateLiteral(XMLSecurityManager.Limit.TOTAL_ENTITY_SIZE_LIMIT)});
+        }
+
+    }
+
     public DTDGrammar getGrammar(){
         return nvGrammarInfo;
     }
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -50,12 +50,14 @@
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.State;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
-import com.sun.xml.internal.stream.Entity;
 import javax.xml.XMLConstants;
 import javax.xml.stream.XMLStreamConstants;
 import javax.xml.stream.events.XMLEvent;
@@ -213,11 +215,8 @@
     };
 
     private static final char [] cdata = {'[','C','D','A','T','A','['};
+    static final char [] xmlDecl = {'<','?','x','m','l'};
     private static final char [] endTag = {'<','/'};
-
-    //this variable is also used by XMLDocumentScannerImpl in the same package
-    static final char [] xmlDecl = {'<','?','x','m','l'};
-
     // debugging
 
     /** Debug scanner state. */
@@ -316,6 +315,7 @@
     protected String fDeclaredEncoding =  null;
     /** Xerces Feature: Disallow doctype declaration. */
     protected boolean fDisallowDoctype = false;
+
     /**
      * comma-delimited list of protocols that are allowed for the purpose
      * of accessing external dtd or entity references
@@ -384,7 +384,6 @@
 
     protected boolean foundBuiltInRefs = false;
 
-    protected SecurityManager fSecurityManager = null;
 
     //skip element algorithm
     static final short MAX_DEPTH_LIMIT = 5 ;
@@ -571,8 +570,11 @@
         // xerces features
         fReportCdataEvent = componentManager.getFeature(Constants.STAX_REPORT_CDATA_EVENT, true);
 
-        fSecurityManager = (SecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null);
-        fElementAttributeLimit = (fSecurityManager != null)?fSecurityManager.getElementAttrLimit():0;
+        fSecurityManager = (XMLSecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null);
+        fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+
+        fElementAttributeLimit = (fSecurityManager != null)?
+                fSecurityManager.getLimit(XMLSecurityManager.Limit.ELEMENT_ATTRIBUTE_LIMIT):0;
 
         fNotifyBuiltInRefs = componentManager.getFeature(NOTIFY_BUILTIN_REFS, false);
 
@@ -598,9 +600,6 @@
         //xxx: external entities are supported in Xerces
         // it would be good to define feature for this case
         fSupportExternalEntities = true;
-        fSupportExternalEntities = true;
-        fSupportExternalEntities = true;
-        fSupportExternalEntities = true;
         fReplaceEntityReferences = true;
         fIsCoalesce = false;
 
@@ -671,6 +670,9 @@
         XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
                 propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
         fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+
+        fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(Constants.SECURITY_MANAGER);
+        fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
     } // reset(XMLComponentManager)
 
     /**
@@ -1322,7 +1324,8 @@
             fAddDefaultAttr = true;
             do {
                 scanAttribute(fAttributes);
-                if (fSecurityManager != null && fAttributes.getLength() > fElementAttributeLimit){
+                if (fSecurityManager != null && !fSecurityManager.isNoLimit(fElementAttributeLimit) &&
+                        fAttributes.getLength() > fElementAttributeLimit){
                     fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,
                                                  "ElementAttributeLimit",
                                                  new Object[]{rawname, new Integer(fAttributes.getLength()) },
@@ -2036,6 +2039,13 @@
 
     } // getDriverName():String
 
+    /**
+     * Check the protocol used in the systemId against allowed protocols
+     *
+     * @param systemId the Id of the URI
+     * @param allowedProtocols a list of allowed protocols separated by comma
+     * @return the name of the protocol if rejected, null otherwise
+     */
     String checkAccess(String systemId, String allowedProtocols) throws IOException {
         String baseSystemId = fEntityScanner.getBaseSystemId();
         String expandedSystemId = fEntityManager.expandSystemId(systemId, baseSystemId,fStrictURI);
@@ -2833,6 +2843,8 @@
                             if(DEBUG){
                                 System.out.println("NOT USING THE BUFFER, STRING = " + fTempString.toString());
                             }
+                            //check limit before returning event
+                            checkLimit(fContentBuffer);
                             if(dtdGrammarUtil!= null && dtdGrammarUtil.isIgnorableWhiteSpace(fContentBuffer)){
                                 if(DEBUG)System.out.println("Return SPACE EVENT");
                                 return XMLEvent.SPACE;
@@ -2931,6 +2943,8 @@
                             fLastSectionWasCharacterData = true ;
                             continue;
                         }else{
+                            //check limit before returning event
+                            checkLimit(fContentBuffer);
                             if(dtdGrammarUtil!= null && dtdGrammarUtil.isIgnorableWhiteSpace(fContentBuffer)){
                                 if(DEBUG)System.out.println("Return SPACE EVENT");
                                 return XMLEvent.SPACE;
@@ -3141,6 +3155,30 @@
             } //while loop
         }//next
 
+        /**
+         * Add the count of the content buffer and check if the accumulated
+         * value exceeds the limit
+         * @param buffer content buffer
+         */
+        protected void checkLimit(XMLStringBuffer buffer) {
+            if (fLimitAnalyzer.isTracking(fCurrentEntityName)) {
+                fLimitAnalyzer.addValue(Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntityName, buffer.length);
+                if (fSecurityManager.isOverLimit(Limit.GENEAL_ENTITY_SIZE_LIMIT)) {
+                    fSecurityManager.debugPrint();
+                    reportFatalError("MaxEntitySizeLimit", new Object[]{fCurrentEntityName,
+                        fLimitAnalyzer.getValue(Limit.GENEAL_ENTITY_SIZE_LIMIT),
+                        fSecurityManager.getLimit(Limit.GENEAL_ENTITY_SIZE_LIMIT),
+                        fSecurityManager.getStateLiteral(Limit.GENEAL_ENTITY_SIZE_LIMIT)});
+                }
+                if (fSecurityManager.isOverLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT)) {
+                    fSecurityManager.debugPrint();
+                    reportFatalError("TotalEntitySizeLimit",
+                        new Object[]{fLimitAnalyzer.getTotalValue(Limit.TOTAL_ENTITY_SIZE_LIMIT),
+                        fSecurityManager.getLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT),
+                        fSecurityManager.getStateLiteral(Limit.TOTAL_ENTITY_SIZE_LIMIT)});
+                }
+            }
+        }
 
         //
         // Protected methods
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -28,9 +28,10 @@
 import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
 import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
 import com.sun.org.apache.xerces.internal.util.*;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
@@ -174,7 +175,6 @@
     /** access external dtd: file protocol */
     static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
 
-
     // recognized features and properties
 
     /** Recognized features. */
@@ -307,6 +307,7 @@
 
     /** used to restrict external access */
     protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT;
+
     // settings
 
     /**
@@ -324,9 +325,12 @@
      */
     protected int fBufferSize = DEFAULT_BUFFER_SIZE;
 
-    // stores defaults for entity expansion limit if it has
-    // been set on the configuration.
-    protected SecurityManager fSecurityManager = null;
+    /** Security Manager */
+    protected XMLSecurityManager fSecurityManager = null;
+
+    protected XMLLimitAnalyzer fLimitAnalyzer = null;
+
+    protected int entityExpansionIndex;
 
     /**
      * True if the document entity is standalone. This should really
@@ -352,10 +356,6 @@
     /** XML 1.1 entity scanner. */
     protected XMLEntityScanner fXML11EntityScanner;
 
-    /** entity expansion limit (contains useful data if and only if
-    fSecurityManager is non-null) */
-    protected int fEntityExpansionLimit = 0;
-
     /** count of entities expanded: */
     protected int fEntityExpansionCount = 0;
 
@@ -833,6 +833,9 @@
         fCurrentEntity.setEncodingExternallySpecified(encodingExternallySpecified);
         fEntityScanner.setCurrentEntity(fCurrentEntity);
         fResourceIdentifier.setValues(publicId, literalSystemId, baseSystemId, expandedSystemId);
+        if (fLimitAnalyzer != null) {
+            fLimitAnalyzer.startEntity(name);
+        }
         return encoding;
     } //setupCurrentEntity(String, XMLInputSource, boolean, boolean):  String
 
@@ -1294,10 +1297,13 @@
         //expansions exceeds the entity expansion limit, parser will throw fatal error.
         // Note that this represents the nesting level of open entities.
         fEntityExpansionCount++;
-        if( fSecurityManager != null && fEntityExpansionCount > fEntityExpansionLimit ){
-            fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,
-                                             "EntityExpansionLimitExceeded",
-                                             new Object[]{new Integer(fEntityExpansionLimit) },
+        if(fLimitAnalyzer != null) {
+           fLimitAnalyzer.addValue(entityExpansionIndex, name, 1);
+        }
+        if( fSecurityManager != null && fSecurityManager.isOverLimit(entityExpansionIndex)){
+            fSecurityManager.debugPrint();
+            fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,"EntityExpansionLimitExceeded",
+                    new Object[]{fSecurityManager.getLimitValueByIndex(entityExpansionIndex)},
                                              XMLErrorReporter.SEVERITY_FATAL_ERROR );
             // is there anything better to do than reset the counter?
             // at least one can envision debugging applications where this might
@@ -1361,6 +1367,12 @@
         if(fCurrentEntity != null){
             //close the reader
             try{
+                if (fLimitAnalyzer != null) {
+                    fLimitAnalyzer.endEntity(XMLSecurityManager.Limit.GENEAL_ENTITY_SIZE_LIMIT, fCurrentEntity.name);
+                    if (fCurrentEntity.name.equals("[xml]")) {
+                        fSecurityManager.debugPrint();
+                    }
+                }
                 fCurrentEntity.close();
             }catch(IOException ex){
                 throw new XNIException(ex);
@@ -1426,6 +1438,9 @@
         XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
         fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
 
+        fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER);
+        fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+
         // initialize state
         //fStandalone = false;
         fEntities.clear();
@@ -1485,7 +1500,9 @@
         fEntityResolver = (XMLEntityResolver)componentManager.getProperty(ENTITY_RESOLVER, null);
         fStaxEntityResolver = (StaxEntityResolverWrapper)componentManager.getProperty(STAX_ENTITY_RESOLVER, null);
         fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null);
-        fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
+        fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
+        fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
+        entityExpansionIndex = fSecurityManager.getIndex(Constants.JDK_ENTITY_EXPANSION_LIMIT);
 
         // JAXP 1.5 feature
         XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
@@ -1506,7 +1523,6 @@
     // a class acting as a component manager but not
     // implementing that interface for whatever reason.
     public void reset() {
-        fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0;
 
         // initialize state
         fStandalone = false;
@@ -1642,8 +1658,8 @@
             }
             if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
                 propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
-                fSecurityManager = (SecurityManager)value;
-                fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0;
+                fSecurityManager = (XMLSecurityManager)value;
+                fLimitAnalyzer = fSecurityManager.getLimitAnalyzer();
             }
         }
 
@@ -1652,9 +1668,8 @@
         {
             XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
             fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+            }
         }
-    }
-
     /**
      * Returns a list of property identifiers that are recognized by
      * this component. This method may return null if no properties
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLNSDocumentScannerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -58,6 +58,7 @@
  * @author Neeraj Bajaj, Sun Microsystems
  * @author Venugopal Rao K, Sun Microsystems
  * @author Elena Litani, IBM
+ * @version $Id: XMLNSDocumentScannerImpl.java,v 1.11 2010-11-01 04:39:41 joehw Exp $
  */
 public class XMLNSDocumentScannerImpl
         extends XMLDocumentScannerImpl {
@@ -251,7 +252,8 @@
 
             do {
                 scanAttribute(fAttributes);
-                if (fSecurityManager != null && fAttributes.getLength() > fElementAttributeLimit){
+                if (fSecurityManager != null && (!fSecurityManager.isNoLimit(fElementAttributeLimit)) &&
+                        fAttributes.getLength() > fElementAttributeLimit){
                     fErrorReporter.reportError(XMLMessageFormatter.XML_DOMAIN,
                                                  "ElementAttributeLimit",
                                                  new Object[]{rawname, new Integer(fAttributes.getLength()) },
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java	Fri Oct 11 19:49:44 2013 +0100
@@ -32,6 +32,8 @@
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLResourceIdentifierImpl;
 import com.sun.org.apache.xerces.internal.util.XMLStringBuffer;
+import com.sun.org.apache.xerces.internal.utils.XMLLimitAnalyzer;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.XMLAttributes;
 import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
@@ -106,6 +108,9 @@
     protected static final String ENTITY_MANAGER =
             Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY;
 
+    /** Property identifier: Security manager. */
+    private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
+
     // debugging
 
     /** Debug attribute normalization. */
@@ -159,6 +164,12 @@
     /** xxx this should be available from EntityManager Entity storage */
     protected XMLEntityStorage fEntityStore = null ;
 
+    /** Security manager. */
+    protected XMLSecurityManager fSecurityManager = null;
+
+    /** Limit analyzer. */
+    protected XMLLimitAnalyzer fLimitAnalyzer = null;
+
     // protected data
 
     /** event type */
@@ -256,6 +267,7 @@
         fSymbolTable = (SymbolTable)componentManager.getProperty(SYMBOL_TABLE);
         fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER);
         fEntityManager = (XMLEntityManager)componentManager.getProperty(ENTITY_MANAGER);
+        fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
 
         //this step is extra because we have separated the storage of entity
         fEntityStore = fEntityManager.getEntityStore() ;
@@ -293,6 +305,10 @@
                 fEntityManager = (XMLEntityManager)value;
             }
         }
+
+        if (propertyId.equals(SECURITY_MANAGER)) {
+            fSecurityManager = (XMLSecurityManager)value;
+        }
                 /*else if(propertyId.equals(Constants.STAX_PROPERTIES)){
             fStaxProperties = (HashMap)value;
             //TODO::discuss with neeraj what are his thoughts on passing properties.
@@ -352,6 +368,8 @@
         fEntityManager = (XMLEntityManager)propertyManager.getProperty(ENTITY_MANAGER);
         fEntityStore = fEntityManager.getEntityStore() ;
         fEntityScanner = (XMLEntityScanner)fEntityManager.getEntityScanner() ;
+        fSecurityManager = (XMLSecurityManager)propertyManager.getProperty(SECURITY_MANAGER);
+
         //fEntityManager.reset();
         // DTD preparsing defaults:
         fValidation = false;
@@ -499,7 +517,7 @@
                             reportFatalError("SDDeclInvalid",  new Object[] {standalone});
                         }
                     } else {
-                        reportFatalError("EncodingDeclRequired", null);
+                        reportFatalError("SDDeclNameInvalid", null);
                     }
                     break;
                 }
@@ -510,8 +528,9 @@
             sawSpace = fEntityScanner.skipSpaces();
         }
         // restore original literal value
-        if(currLiteral)
+        if(currLiteral) {
             currEnt.literal = true;
+        }
         // REVISIT: should we remove this error reporting?
         if (scanningTextDecl && state != STATE_DONE) {
             reportFatalError("MorePseudoAttributes", null);
@@ -564,7 +583,7 @@
             XMLString value)
             throws IOException, XNIException {
 
-        String name = fEntityScanner.scanName();
+        String name = scanPseudoAttributeName();
         // XMLEntityManager.print(fEntityManager.getCurrentEntity());
 
         if (name == null) {
@@ -617,6 +636,35 @@
     } // scanPseudoAttribute(XMLString):String
 
     /**
+     * Scans the name of a pseudo attribute. The only legal names
+     * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
+     *
+     * @return the name of the pseudo attribute or <code>null</code>
+     * if a legal pseudo attribute name could not be scanned.
+     */
+    private String scanPseudoAttributeName() throws IOException, XNIException {
+        final int ch = fEntityScanner.peekChar();
+        switch (ch) {
+            case 'v':
+                if (fEntityScanner.skipString(fVersionSymbol)) {
+                    return fVersionSymbol;
+                }
+                break;
+            case 'e':
+                if (fEntityScanner.skipString(fEncodingSymbol)) {
+                    return fEncodingSymbol;
+                }
+                break;
+            case 's':
+                if (fEntityScanner.skipString(fStandaloneSymbol)) {
+                    return fStandaloneSymbol;
+                }
+                break;
+        }
+        return null;
+    } // scanPseudoAttributeName()
+
+    /**
      * Scans a processing instruction.
      * <p>
      * <pre>
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Fri Oct 11 19:49:44 2013 +0100
@@ -44,6 +44,7 @@
         
 # 2.9 Standalone Document Declaration
         SDDeclInvalid = The standalone document declaration value must be \"yes\" or \"no\", not \"{0}\".
+        SDDeclNameInvalid = The standalone name in XML declaration may be misspelled.
 # 2.12 Language Identification
         XMLLangInvalid = The xml:lang attribute value \"{0}\" is an invalid language identifier.
 # 3. Logical Structures
@@ -292,8 +293,10 @@
         InvalidCharInLiteral=InvalidCharInLiteral
 
 
-#Application can set the limit of number of entities that should be expanded by the parser.
-EntityExpansionLimitExceeded=The parser has encountered more than \"{0}\" entity expansions in this document; this is the limit imposed by the application.
+# Implementation limits
+        EntityExpansionLimitExceeded=JAXP00010001: The parser has encountered more than \"{0}\" entity expansions in this document; this is the limit imposed by the JDK.
+        ElementAttributeLimit=JAXP00010002:  Element \"{0}\" has more than \"{1}\" attributes, \"{1}\" is the limit imposed by the JDK.
+        MaxEntitySizeLimit=JAXP00010003: The length of entity \"{0}\" is \"{1}\" that exceeds the \"{2}\" limit set by \"{3}\".
+        TotalEntitySizeLimit=JAXP00010004: The accumulated size \"{0}\" of entities exceeded the \"{1}\" limit set by \"{2}\".
+        MaxXMLNameLimit=JAXP00010005: The name \"{0}\" exceeded the \"{1}\" limit set by \"{2}\".
 
-# Application can set the limit of number of attributes of entity that should be expanded by the parser.
-ElementAttributeLimit= Element \"{0}\" has more than \"{1}\" attributes, \"{1}\" is the limit imposed by the application.
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java	Fri Oct 11 19:49:44 2013 +0100
@@ -21,13 +21,13 @@
 
 package com.sun.org.apache.xerces.internal.impl.xs.models;
 
+import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
-import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager ;
 import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
+import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
-import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
-import com.sun.org.apache.xerces.internal.impl.Constants;
 
 /**
  *
@@ -68,7 +68,7 @@
 
     // stores defaults for different security holes (maxOccurLimit in current context) if it has
     // been set on the configuration.
-    private SecurityManager fSecurityManager = null;
+    private XMLSecurityManager fSecurityManager = null;
 
     /** default constructor */
     public CMNodeFactory() {
@@ -77,10 +77,10 @@
     public void reset(XMLComponentManager componentManager){
         fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER);
         try {
-            fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER);
+            fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
             //we are setting the limit of number of nodes to 3times the maxOccur value..
             if(fSecurityManager != null){
-                maxNodeLimit = fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY ;
+                maxNodeLimit = fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY ;
             }
         }
         catch (XMLConfigurationException e) {
@@ -109,7 +109,8 @@
     }
 
     public void nodeCountCheck(){
-        if( fSecurityManager != null && nodeCount++ > maxNodeLimit){
+        if( fSecurityManager != null && !fSecurityManager.isNoLimit(maxNodeLimit) &&
+                nodeCount++ > maxNodeLimit){
             if(DEBUG){
                 System.out.println("nodeCount = " + nodeCount ) ;
                 System.out.println("nodeLimit = " + maxNodeLimit ) ;
@@ -150,8 +151,9 @@
 
             if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
                 propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
-                fSecurityManager = (SecurityManager)value;
-                maxNodeLimit = (fSecurityManager != null) ? fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY : 0 ;
+                fSecurityManager = (XMLSecurityManager)value;
+                maxNodeLimit = (fSecurityManager != null) ?
+                        fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY : 0 ;
                 return;
             }
             if (suffixLength == Constants.ERROR_REPORTER_PROPERTY.length() &&
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java	Fri Oct 11 19:49:44 2013 +0100
@@ -40,6 +40,7 @@
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xs.XSConstants;
 import java.util.HashMap;
@@ -1194,8 +1195,8 @@
                     if (!optimize) {
                     //Revisit :: IMO this is not right place to check
                     // maxOccurNodeLimit.
-                    int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getMaxOccurNodeLimit();
-                    if (max > maxOccurNodeLimit) {
+                    int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT);
+                    if (max > maxOccurNodeLimit && !fSchemaHandler.fSecureProcessing.isNoLimit(maxOccurNodeLimit)) {
                         reportSchemaFatalError("maxOccurLimit", new Object[] {new Integer(maxOccurNodeLimit)}, element);
 
                         // reset max values in case processing continues on error
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java	Fri Oct 11 19:49:44 2013 +0100
@@ -70,7 +70,6 @@
 import com.sun.org.apache.xerces.internal.util.DefaultErrorHandler;
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXInputSource;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.StAXLocationWrapper;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
@@ -79,6 +78,7 @@
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -257,7 +257,7 @@
      *
      * <p>Protected to allow access by any traverser.</p>
      */
-    protected SecurityManager fSecureProcessing = null;
+    protected XMLSecurityManager fSecureProcessing = null;
 
     private String fAccessExternalSchema;
     private String fAccessExternalDTD;
@@ -3509,7 +3509,7 @@
 
         fSecureProcessing = null;
         if( componentManager!=null ) {
-            fSecureProcessing = (SecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
+            fSecureProcessing = (XMLSecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
         }
 
         //set entity resolver
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -36,7 +36,7 @@
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.parsers.DOMParser;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
@@ -46,7 +46,6 @@
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
-import javax.xml.XMLConstants;
 import org.w3c.dom.DOMImplementation;
 import org.w3c.dom.Document;
 import org.xml.sax.EntityResolver;
@@ -125,6 +124,7 @@
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private XMLSecurityManager fSecurityManager;
     private XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
@@ -173,10 +173,10 @@
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
         domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
 
-        // If the secure processing feature is on set a security manager.
+        fSecurityManager = new XMLSecurityManager(secureProcessing);
+        domParser.setProperty(SECURITY_MANAGER, fSecurityManager);
+
         if (secureProcessing) {
-            domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
-
             /**
              * If secure processing is explicitly set on the factory, the
              * access properties will be set unless the corresponding
@@ -250,9 +250,9 @@
                 String feature = (String) entry.getKey();
                 boolean value = ((Boolean) entry.getValue()).booleanValue();
                 domParser.setFeature(feature, value);
-            }
         }
     }
+    }
 
     /**
      * Set any DocumentBuilderFactory attributes of our underlying DOMParser
@@ -303,14 +303,17 @@
                         }
                      }
                   } else {
-                    int index = fSecurityPropertyMgr.getIndex(name);
-                    if (index > -1) {
-                        fSecurityPropertyMgr.setValue(index,
-                                XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);
-                    } else {
-                        // Let Xerces code handle the property
-                        domParser.setProperty(name, val);
-                    }
+                     //check if the property is managed by security manager
+                     if (fSecurityManager == null ||
+                             !fSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, val)) {
+                         //check if the property is managed by security property manager
+                         if (fSecurityPropertyMgr == null ||
+                                 !fSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, val)) {
+                             //fall back to the existing property manager
+                             domParser.setProperty(name, val);
+                         }
+                     }
+
                   }
              }
         }
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -34,9 +34,9 @@
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -112,6 +112,7 @@
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private final XMLSecurityManager fSecurityManager;
     private final XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     /**
@@ -130,10 +131,10 @@
     SAXParserImpl(SAXParserFactoryImpl spf, Hashtable features, boolean secureProcessing)
         throws SAXException
     {
+        fSecurityManager = new XMLSecurityManager(secureProcessing);
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
-
         // Instantiate a SAXParser directly and not through SAX so that we use the right ClassLoader
-        xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr);
+        xmlReader = new JAXPSAXParser(this, fSecurityPropertyMgr, fSecurityManager);
 
         // JAXP "namespaceAware" == SAX Namespaces feature
         // Note: there is a compatibility problem here with default values:
@@ -154,9 +155,9 @@
 
         xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
 
-        // If the secure processing feature is on set a security manager.
+        xmlReader.setProperty0(SECURITY_MANAGER, fSecurityManager);
+
         if (secureProcessing) {
-            xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
             /**
              * By default, secure processing is set, no external access is allowed.
              * However, we need to check if it is actively set on the factory since we
@@ -164,6 +165,7 @@
              * the default value
              */
             if (features != null) {
+
                 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
                 if (temp != null) {
                     boolean value = ((Boolean) temp).booleanValue();
@@ -398,28 +400,42 @@
         private final HashMap fInitFeatures = new HashMap();
         private final HashMap fInitProperties = new HashMap();
         private final SAXParserImpl fSAXParser;
+        private XMLSecurityManager fSecurityManager;
         private XMLSecurityPropertyManager fSecurityPropertyMgr;
 
 
         public JAXPSAXParser() {
-            this(null, null);
+            this(null, null, null);
         }
 
-        JAXPSAXParser(SAXParserImpl saxParser, XMLSecurityPropertyManager spm) {
+        JAXPSAXParser(SAXParserImpl saxParser, XMLSecurityPropertyManager securityPropertyMgr,
+                XMLSecurityManager securityManager) {
             super();
             fSAXParser = saxParser;
-            fSecurityPropertyMgr = spm;
-
+            fSecurityManager = securityManager;
+            fSecurityPropertyMgr = securityPropertyMgr;
             /**
              * This class may be used directly. So initialize the security manager if
              * it is null.
              */
+            if (fSecurityManager == null) {
+                fSecurityManager = new XMLSecurityManager(true);
+                try {
+                    super.setProperty(SECURITY_MANAGER, fSecurityManager);
+                } catch (SAXException e) {
+                    throw new UnsupportedOperationException(
+                    SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
+                    "property-not-recognized", new Object [] {SECURITY_MANAGER}), e);
+                }
+            }
             if (fSecurityPropertyMgr == null) {
                 fSecurityPropertyMgr = new XMLSecurityPropertyManager();
                 try {
                     super.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
-                } catch (Exception ex) {
-                    //shall not happen
+                } catch (SAXException e) {
+                    throw new UnsupportedOperationException(
+                    SAXMessageFormatter.formatMessage(fConfiguration.getLocale(),
+                    "property-not-recognized", new Object [] {SECURITY_MANAGER}), e);
                 }
             }
         }
@@ -437,7 +453,8 @@
             }
             if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
                 try {
-                    setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+                    fSecurityManager.setSecureProcessing(value);
+                    setProperty(SECURITY_MANAGER, fSecurityManager);
                 }
                 catch (SAXNotRecognizedException exc) {
                     // If the property is not supported
@@ -473,13 +490,7 @@
                 throw new NullPointerException();
             }
             if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
-                try {
-                    return (super.getProperty(SECURITY_MANAGER) != null);
-                }
-                // If the property is not supported the value must be false.
-                catch (SAXException exc) {
-                    return false;
-                }
+                return fSecurityManager.isSecureProcessing();
             }
             return super.getFeature(name);
         }
@@ -558,17 +569,21 @@
             if (fSAXParser != null && fSAXParser.fSchemaValidator != null) {
                 setSchemaValidatorProperty(name, value);
             }
-            /** Check to see if the property is managed by the property manager **/
-            int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(name) : -1;
-            if (index > -1) {
-                fSecurityPropertyMgr.setValue(index,
-                        XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
-            } else {
-                if (!fInitProperties.containsKey(name)) {
-                    fInitProperties.put(name, super.getProperty(name));
+
+            //check if the property is managed by security manager
+            if (fSecurityManager == null ||
+                    !fSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) {
+                //check if the property is managed by security property manager
+                if (fSecurityPropertyMgr == null ||
+                        !fSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
+                    //fall back to the existing property manager
+                    if (!fInitProperties.containsKey(name)) {
+                        fInitProperties.put(name, super.getProperty(name));
+                    }
+                    super.setProperty(name, value);
                 }
-                super.setProperty(name, value);
             }
+
         }
 
         public synchronized Object getProperty(String name)
@@ -581,9 +596,18 @@
                 // JAXP 1.2 support
                 return fSAXParser.schemaLanguage;
             }
-            int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(name) : -1;
-            if (index > -1) {
-                return fSecurityPropertyMgr.getValueByIndex(index);
+
+            /** Check to see if the property is managed by the security manager **/
+            String propertyValue = (fSecurityManager != null) ?
+                    fSecurityManager.getLimitAsString(name) : null;
+            if (propertyValue != null) {
+                return propertyValue;
+            } else {
+                propertyValue = (fSecurityPropertyMgr != null) ?
+                    fSecurityPropertyMgr.getValue(name) : null;
+                if (propertyValue != null) {
+                    return propertyValue;
+                }
             }
 
             return super.getProperty(name);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StAXValidatorHelper.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StAXValidatorHelper.java	Fri Oct 11 19:49:44 2013 +0100
@@ -26,6 +26,7 @@
 package com.sun.org.apache.xerces.internal.jaxp.validation;
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import java.io.IOException;
 
 import javax.xml.transform.Result;
@@ -73,6 +74,19 @@
                     SAXTransformerFactory tf = fComponentManager.getFeature(Constants.ORACLE_FEATURE_SERVICE_MECHANISM) ?
                                     (SAXTransformerFactory)SAXTransformerFactory.newInstance()
                                     : (SAXTransformerFactory) TransformerFactory.newInstance(DEFAULT_TRANSFORMER_IMPL, StAXValidatorHelper.class.getClassLoader());
+                    XMLSecurityManager securityManager = (XMLSecurityManager)fComponentManager.getProperty(Constants.SECURITY_MANAGER);
+                    if (securityManager != null) {
+                        for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
+                            if (securityManager.isSet(limit.ordinal())){
+                                tf.setAttribute(limit.apiProperty(),
+                                        securityManager.getLimitValueAsString(limit));
+                            }
+                        }
+                        if (securityManager.printEntityCountInfo()) {
+                            tf.setAttribute(Constants.JDK_ENTITY_COUNT_INFO, "yes");
+                        }
+                    }
+
                     identityTransformer1 = tf.newTransformer();
                     identityTransformer2 = tf.newTransformerHandler();
                 } catch (TransformerConfigurationException e) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java	Fri Oct 11 19:49:44 2013 +0100
@@ -20,28 +20,27 @@
 
 package com.sun.org.apache.xerces.internal.jaxp.validation;
 
-import java.lang.ref.SoftReference;
-import java.io.IOException;
-
-import javax.xml.transform.Result;
-import javax.xml.transform.Source;
-import javax.xml.transform.sax.SAXTransformerFactory;
-import javax.xml.transform.sax.TransformerHandler;
-import javax.xml.transform.stream.StreamSource;
-import javax.xml.transform.stream.StreamResult;
-import javax.xml.transform.TransformerConfigurationException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.TransformerFactoryConfigurationError;
-import javax.xml.XMLConstants;
-
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
 import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
 import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
+import java.io.IOException;
+import java.lang.ref.SoftReference;
+import javax.xml.XMLConstants;
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.sax.SAXTransformerFactory;
+import javax.xml.transform.sax.TransformerHandler;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.transform.stream.StreamSource;
 import org.xml.sax.SAXException;
 
 /**
@@ -86,6 +85,11 @@
         Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY;
 
     private static final String DEFAULT_TRANSFORMER_IMPL = "com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl";
+
+    /** Property id: security manager. */
+    private static final String SECURITY_MANAGER =
+        Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
     //
     // Data
     //
@@ -165,6 +169,9 @@
 
     private XMLParserConfiguration initialize() {
         XML11Configuration config = new XML11Configuration();
+        if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+            config.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
+        }
         config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
         config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));
         XMLErrorReporter errorReporter = (XMLErrorReporter) fComponentManager.getProperty(ERROR_REPORTER);
@@ -182,6 +189,8 @@
         config.setDTDContentModelHandler(null);
         config.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
                 fComponentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER));
+        config.setProperty(Constants.SECURITY_MANAGER,
+                fComponentManager.getProperty(Constants.SECURITY_MANAGER));
         fConfiguration = new SoftReference(config);
         return config;
     }
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java	Fri Oct 11 19:49:44 2013 +0100
@@ -49,11 +49,11 @@
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -679,10 +679,12 @@
                                     SAXParserFactory.newInstance() : new SAXParserFactoryImpl();
                     spf.setNamespaceAware(true);
                     try {
+                        spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                                fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
                         reader = spf.newSAXParser().getXMLReader();
                         // If this is a Xerces SAX parser, set the security manager if there is one
                         if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) {
-                           SecurityManager securityManager = (SecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
+                           XMLSecurityManager securityManager = (XMLSecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
                            if (securityManager != null) {
                                try {
                                    reader.setProperty(SECURITY_MANAGER, securityManager);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Fri Oct 11 19:49:44 2013 +0100
@@ -41,10 +41,10 @@
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXInputSource;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -79,7 +79,7 @@
     private static final String XMLGRAMMAR_POOL =
         Constants.XERCES_PROPERTY_PREFIX + Constants.XMLGRAMMAR_POOL_PROPERTY;
 
-    /** Property identifier: SecurityManager. */
+    /** Property identifier: XMLSecurityManager. */
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
@@ -108,7 +108,7 @@
     private ErrorHandlerWrapper fErrorHandlerWrapper;
 
     /** The SecurityManager. */
-    private SecurityManager fSecurityManager;
+    private XMLSecurityManager fSecurityManager;
 
     /** The Security property manager. */
     private XMLSecurityPropertyManager fSecurityPropertyMgr;
@@ -141,7 +141,7 @@
         fXMLSchemaLoader.setErrorHandler(fErrorHandlerWrapper);
 
         // Enable secure processing feature by default
-        fSecurityManager = new SecurityManager();
+        fSecurityManager = new XMLSecurityManager(true);
         fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
 
         fSecurityPropertyMgr = new XMLSecurityPropertyManager();
@@ -301,7 +301,7 @@
                     "FeatureNameNull", null));
         }
         if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
-            return (fSecurityManager != null);
+            return (fSecurityManager != null && fSecurityManager.isSecureProcessing());
         }
         try {
             return fXMLSchemaLoader.getFeature(name);
@@ -365,17 +365,15 @@
                         SAXMessageFormatter.formatMessage(null,
                         "jaxp-secureprocessing-feature", null));
             }
+
+            fSecurityManager.setSecureProcessing(value);
             if (value) {
-                fSecurityManager = new SecurityManager();
-
                 if (Constants.IS_JDK8_OR_ABOVE) {
                     fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
                             XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                     fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
                             XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                 }
-            } else {
-                fSecurityManager = null;
             }
 
             fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
@@ -410,9 +408,17 @@
                     "ProperyNameNull", null));
         }
         if (name.equals(SECURITY_MANAGER)) {
-            fSecurityManager = (SecurityManager) object;
+            fSecurityManager = XMLSecurityManager.convert(object, fSecurityManager);
             fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
             return;
+        } else if (name.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (object == null) {
+                fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+            } else {
+                fSecurityPropertyMgr = (XMLSecurityPropertyManager)object;
+            }
+            fXMLSchemaLoader.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+            return;
         }
         else if (name.equals(XMLGRAMMAR_POOL)) {
             throw new SAXNotSupportedException(
@@ -420,12 +426,15 @@
                     "property-not-supported", new Object [] {name}));
         }
         try {
-            int index = fSecurityPropertyMgr.getIndex(name);
-            if (index > -1) {
-                fSecurityPropertyMgr.setValue(index,
-                        XMLSecurityPropertyManager.State.APIPROPERTY, (String)object);
-            } else {
-                fXMLSchemaLoader.setProperty(name, object);
+            //check if the property is managed by security manager
+            if (fSecurityManager == null ||
+                    !fSecurityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, object)) {
+                //check if the property is managed by security property manager
+                if (fSecurityPropertyMgr == null ||
+                        !fSecurityPropertyMgr.setValue(name, XMLSecurityPropertyManager.State.APIPROPERTY, object)) {
+                    //fall back to the existing property manager
+                    fXMLSchemaLoader.setProperty(name, object);
+                }
             }
         }
         catch (XMLConfigurationException e) {
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -39,10 +39,10 @@
 import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -181,7 +181,7 @@
     private final HashMap fInitProperties = new HashMap();
 
     /** Stores the initial security manager. */
-    private final SecurityManager fInitSecurityManager;
+    private XMLSecurityManager fInitSecurityManager;
 
     /** Stores the initial security property manager. */
     private final XMLSecurityPropertyManager fSecurityPropertyMgr;
@@ -221,12 +221,6 @@
         fComponents.put(ENTITY_RESOLVER, null);
         fComponents.put(ERROR_HANDLER, null);
 
-        if (System.getSecurityManager() != null) {
-            _isSecureMode = true;
-            setProperty(SECURITY_MANAGER, new SecurityManager());
-        } else {
-            fComponents.put(SECURITY_MANAGER, null);
-        }
         fComponents.put(SYMBOL_TABLE, new SymbolTable());
 
         // setup grammar pool
@@ -241,15 +235,21 @@
         addRecognizedParamsAndSetDefaults(fErrorReporter, grammarContainer);
         addRecognizedParamsAndSetDefaults(fSchemaValidator, grammarContainer);
 
-        // if the secure processing feature is set to true, add a security manager to the configuration
-        Boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
-        if (Boolean.TRUE.equals(secureProcessing)) {
-            fInitSecurityManager = new SecurityManager();
+        boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
+        if (System.getSecurityManager() != null) {
+            _isSecureMode = true;
+            secureProcessing = true;
         }
-        else {
-            fInitSecurityManager = null;
+
+        fInitSecurityManager = (XMLSecurityManager)
+                grammarContainer.getProperty(SECURITY_MANAGER);
+        if (fInitSecurityManager != null ) {
+            fInitSecurityManager.setSecureProcessing(secureProcessing);
+        } else {
+            fInitSecurityManager = new XMLSecurityManager(secureProcessing);
         }
-        fComponents.put(SECURITY_MANAGER, fInitSecurityManager);
+
+        setProperty(SECURITY_MANAGER, fInitSecurityManager);
 
         //pass on properties set on SchemaFactory
         fSecurityPropertyMgr = (XMLSecurityPropertyManager)
@@ -281,7 +281,7 @@
             return FeatureState.is(fUseGrammarPoolOnly);
         }
         else if (XMLConstants.FEATURE_SECURE_PROCESSING.equals(featureId)) {
-            return FeatureState.is(getProperty(SECURITY_MANAGER) != null);
+            return FeatureState.is(fInitSecurityManager.isSecureProcessing());
         }
         else if (SCHEMA_ELEMENT_DEFAULT.equals(featureId)) {
             return FeatureState.is(true); //pre-condition: VALIDATION and SCHEMA_VALIDATION are always true
@@ -311,7 +311,9 @@
             if (_isSecureMode && !value) {
                 throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
             }
-            setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+
+            fInitSecurityManager.setSecureProcessing(value);
+            setProperty(SECURITY_MANAGER, fInitSecurityManager);
 
             if (value && Constants.IS_JDK8_OR_ABOVE) {
                 fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
@@ -390,10 +392,19 @@
             fComponents.put(propertyId, value);
             return;
         }
-        if (!fInitProperties.containsKey(propertyId)) {
-            fInitProperties.put(propertyId, super.getProperty(propertyId));
+        //check if the property is managed by security manager
+        if (fInitSecurityManager == null ||
+                !fInitSecurityManager.setLimit(propertyId, XMLSecurityManager.State.APIPROPERTY, value)) {
+            //check if the property is managed by security property manager
+            if (fSecurityPropertyMgr == null ||
+                    !fSecurityPropertyMgr.setValue(propertyId, XMLSecurityPropertyManager.State.APIPROPERTY, value)) {
+                //fall back to the existing property manager
+                if (!fInitProperties.containsKey(propertyId)) {
+                    fInitProperties.put(propertyId, super.getProperty(propertyId));
+                }
+                super.setProperty(propertyId, value);
+            }
         }
-        super.setProperty(propertyId, value);
     }
 
     /**
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -20,18 +20,15 @@
 
 package com.sun.org.apache.xerces.internal.parsers;
 
-import java.io.IOException;
-import java.util.Locale;
-
 import com.sun.org.apache.xerces.internal.impl.Constants;
-import com.sun.org.apache.xerces.internal.util.Status;
-import com.sun.org.apache.xerces.internal.xs.PSVIProvider;
+import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper;
 import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper;
-import com.sun.org.apache.xerces.internal.util.EntityResolver2Wrapper;
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
+import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -48,15 +45,17 @@
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
 import com.sun.org.apache.xerces.internal.xs.AttributePSVI;
 import com.sun.org.apache.xerces.internal.xs.ElementPSVI;
+import com.sun.org.apache.xerces.internal.xs.PSVIProvider;
+import java.io.IOException;
+import java.util.Locale;
+import javax.xml.XMLConstants;
 import org.xml.sax.AttributeList;
-import org.xml.sax.Attributes;
 import org.xml.sax.ContentHandler;
 import org.xml.sax.DTDHandler;
 import org.xml.sax.DocumentHandler;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ErrorHandler;
 import org.xml.sax.InputSource;
-import org.xml.sax.Locator;
 import org.xml.sax.Parser;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
@@ -131,6 +130,10 @@
     protected static final String DOM_NODE =
         Constants.SAX_PROPERTY_PREFIX + Constants.DOM_NODE_PROPERTY;
 
+    /** Property id: security manager. */
+    private static final String SECURITY_MANAGER =
+        Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
+
     /** Recognized properties. */
     private static final String[] RECOGNIZED_PROPERTIES = {
         LEXICAL_HANDLER,
@@ -1645,19 +1648,13 @@
                 // Drop through and perform default processing
                 //
             }
-
-            //
-            // Xerces Features
-            //
-
-            /*
-            else if (featureId.startsWith(XERCES_FEATURES_PREFIX)) {
-                String feature = featureId.substring(XERCES_FEATURES_PREFIX.length());
-                //
-                // Drop through and perform default processing
-                //
+            else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+                if (state) {
+                    if (fConfiguration.getProperty(SECURITY_MANAGER )==null) {
+                        fConfiguration.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
+                    }
+                }
             }
-            */
 
             //
             // Default handling
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -29,6 +29,7 @@
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
@@ -531,7 +532,54 @@
      */
     public void setProperty(String propertyId, Object value)
         throws SAXNotRecognizedException, SAXNotSupportedException {
+        /**
+         * It's possible for users to set a security manager through the interface.
+         * If it's the old SecurityManager, convert it to the new XMLSecurityManager
+         */
+        if (propertyId.equals(Constants.SECURITY_MANAGER)) {
+            securityManager = XMLSecurityManager.convert(value, securityManager);
+            setProperty0(Constants.SECURITY_MANAGER, securityManager);
+            return;
+        }
+        if (propertyId.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (value == null) {
+                securityPropertyManager = new XMLSecurityPropertyManager();
+            } else {
+                securityPropertyManager = (XMLSecurityPropertyManager)value;
+            }
+            setProperty0(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+            return;
+        }
 
+        if (securityManager == null) {
+            securityManager = new XMLSecurityManager(true);
+            setProperty0(Constants.SECURITY_MANAGER, securityManager);
+        }
+
+        if (securityPropertyManager == null) {
+            securityPropertyManager = new XMLSecurityPropertyManager();
+            setProperty0(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+        }
+        int index = securityPropertyManager.getIndex(propertyId);
+
+        if (index > -1) {
+            /**
+             * this is a direct call to this parser, not a subclass since
+             * internally the support of this property is done through
+             * XMLSecurityPropertyManager
+             */
+            securityPropertyManager.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+        } else {
+            //check if the property is managed by security manager
+            if (!securityManager.setLimit(propertyId, XMLSecurityManager.State.APIPROPERTY, value)) {
+                //fall back to the default configuration to handle the property
+                setProperty0(propertyId, value);
+            }
+        }
+    }
+
+    public void setProperty0(String propertyId, Object value)
+        throws SAXNotRecognizedException, SAXNotSupportedException {
         try {
             fConfiguration.setProperty(propertyId, value);
         }
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/DTDConfiguration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/DTDConfiguration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -185,9 +185,12 @@
     protected static final String LOCALE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
 
-    /** Property identifier: Security property manager. */
-    protected static final String XML_SECURITY_PROPERTY_MANAGER =
-            Constants.XML_SECURITY_PROPERTY_MANAGER;
+      /** Property identifier: Security property manager. */
+      protected static final String XML_SECURITY_PROPERTY_MANAGER =
+              Constants.XML_SECURITY_PROPERTY_MANAGER;
+
+     /** Property identifier: Security manager. */
+     private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
 
     // debugging
 
@@ -334,6 +337,7 @@
             JAXP_SCHEMA_SOURCE,
             JAXP_SCHEMA_LANGUAGE,
             LOCALE,
+            SECURITY_MANAGER,
             XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/NonValidatingConfiguration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/NonValidatingConfiguration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -158,9 +158,12 @@
     protected static final String LOCALE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
 
-    /** Property identifier: Security property manager. */
-    protected static final String XML_SECURITY_PROPERTY_MANAGER =
-            Constants.XML_SECURITY_PROPERTY_MANAGER;
+      /** Property identifier: Security property manager. */
+      protected static final String XML_SECURITY_PROPERTY_MANAGER =
+              Constants.XML_SECURITY_PROPERTY_MANAGER;
+
+     /** Property identifier: Security manager. */
+     private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
 
     // debugging
 
@@ -316,6 +319,7 @@
             DATATYPE_VALIDATOR_FACTORY,
             VALIDATION_MANAGER,
             LOCALE,
+            SECURITY_MANAGER,
             XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -22,6 +22,7 @@
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
@@ -76,7 +77,7 @@
         XMLGRAMMAR_POOL,
     };
 
-    XMLSecurityPropertyManager securityPropertyManager;
+
     //
     // Constructors
     //
@@ -130,11 +131,36 @@
      */
     public void setProperty(String name, Object value)
         throws SAXNotRecognizedException, SAXNotSupportedException {
+        /**
+         * It's possible for users to set a security manager through the interface.
+         * If it's the old SecurityManager, convert it to the new XMLSecurityManager
+         */
+        if (name.equals(Constants.SECURITY_MANAGER)) {
+            securityManager = XMLSecurityManager.convert(value, securityManager);
+            super.setProperty(Constants.SECURITY_MANAGER, securityManager);
+            return;
+        }
+        if (name.equals(Constants.XML_SECURITY_PROPERTY_MANAGER)) {
+            if (value == null) {
+                securityPropertyManager = new XMLSecurityPropertyManager();
+            } else {
+                securityPropertyManager = (XMLSecurityPropertyManager)value;
+            }
+            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+            return;
+        }
+
+        if (securityManager == null) {
+            securityManager = new XMLSecurityManager(true);
+            super.setProperty(Constants.SECURITY_MANAGER, securityManager);
+        }
+
         if (securityPropertyManager == null) {
             securityPropertyManager = new XMLSecurityPropertyManager();
+            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
         }
+
         int index = securityPropertyManager.getIndex(name);
-
         if (index > -1) {
             /**
              * this is a direct call to this parser, not a subclass since
@@ -142,9 +168,12 @@
              * XMLSecurityPropertyManager
              */
             securityPropertyManager.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
-            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
         } else {
-            super.setProperty(name, value);
+            //check if the property is managed by security manager
+            if (!securityManager.setLimit(name, XMLSecurityManager.State.APIPROPERTY, value)) {
+                //fall back to the default configuration to handle the property
+                super.setProperty(name, value);
+            }
         }
     }
 } // class SAXParser
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -23,8 +23,8 @@
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 
 /**
  * This configuration allows Xerces to behave in a security-conscious manner; that is,
@@ -44,6 +44,7 @@
  *
  * @author Neil Graham, IBM
  *
+ * @version $Id: SecurityConfiguration.java,v 1.6 2010-11-01 04:40:09 joehw Exp $
  */
 public class SecurityConfiguration extends XIncludeAwareParserConfiguration
 {
@@ -107,7 +108,7 @@
         super(symbolTable, grammarPool, parentSettings);
 
         // create the SecurityManager property:
-        setProperty(SECURITY_MANAGER_PROPERTY, new SecurityManager());
+        setProperty(SECURITY_MANAGER_PROPERTY, new XMLSecurityManager(true));
     } // <init>(SymbolTable,XMLGrammarPool)
 
 } // class SecurityConfiguration
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java	Fri Oct 11 19:49:44 2013 +0100
@@ -52,6 +52,7 @@
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
@@ -279,6 +280,8 @@
     private static final String XML_SECURITY_PROPERTY_MANAGER =
             Constants.XML_SECURITY_PROPERTY_MANAGER;
 
+    /** Property identifier: Security manager. */
+    private static final String SECURITY_MANAGER = Constants.SECURITY_MANAGER;
 
     // debugging
 
@@ -449,26 +452,26 @@
         XMLGrammarPool grammarPool,
         XMLComponentManager parentSettings) {
 
-                super(parentSettings);
+        super(parentSettings);
 
-                // create a vector to hold all the components in use
-                // XML 1.0 specialized components
-                fComponents = new ArrayList();
-                // XML 1.1 specialized components
-                fXML11Components = new ArrayList();
-                // Common components for XML 1.1. and XML 1.0
-                fCommonComponents = new ArrayList();
+        // create a vector to hold all the components in use
+        // XML 1.0 specialized components
+        fComponents = new ArrayList();
+        // XML 1.1 specialized components
+        fXML11Components = new ArrayList();
+        // Common components for XML 1.1. and XML 1.0
+        fCommonComponents = new ArrayList();
 
-                // create table for features and properties
-                fFeatures = new HashMap();
-                fProperties = new HashMap();
+        // create table for features and properties
+        fFeatures = new HashMap();
+        fProperties = new HashMap();
 
         // add default recognized features
         final String[] recognizedFeatures =
             {
                 CONTINUE_AFTER_FATAL_ERROR, LOAD_EXTERNAL_DTD, // from XMLDTDScannerImpl
-                                VALIDATION,
-                                NAMESPACES,
+                VALIDATION,
+                NAMESPACES,
                 NORMALIZE_DATA, SCHEMA_ELEMENT_DEFAULT, SCHEMA_AUGMENT_PSVI,
                 GENERATE_SYNTHETIC_ANNOTATIONS, VALIDATE_ANNOTATIONS,
                 HONOUR_ALL_SCHEMALOCATIONS, NAMESPACE_GROWTH,
@@ -479,47 +482,47 @@
                 //       features might not have been set and it would cause a
                 //       not-recognized exception to be thrown. -Ac
                 XMLSCHEMA_VALIDATION, XMLSCHEMA_FULL_CHECKING,
-                                EXTERNAL_GENERAL_ENTITIES,
-                                EXTERNAL_PARAMETER_ENTITIES,
-                                PARSER_SETTINGS,
-                                XMLConstants.FEATURE_SECURE_PROCESSING
+                EXTERNAL_GENERAL_ENTITIES,
+                EXTERNAL_PARAMETER_ENTITIES,
+                PARSER_SETTINGS,
+                XMLConstants.FEATURE_SECURE_PROCESSING
                         };
         addRecognizedFeatures(recognizedFeatures);
-                // set state for default features
-                fFeatures.put(VALIDATION, Boolean.FALSE);
-                fFeatures.put(NAMESPACES, Boolean.TRUE);
-                fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE);
-                fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE);
-                fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE);
-                fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE);
-                fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE);
-                fFeatures.put(NORMALIZE_DATA, Boolean.TRUE);
-                fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE);
-                fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE);
-                fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE);
-                fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE);
-                fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE);
-                fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE);
-                fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE);
-                fFeatures.put(PARSER_SETTINGS, Boolean.TRUE);
-                fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        // set state for default features
+        fFeatures.put(VALIDATION, Boolean.FALSE);
+        fFeatures.put(NAMESPACES, Boolean.TRUE);
+        fFeatures.put(EXTERNAL_GENERAL_ENTITIES, Boolean.TRUE);
+        fFeatures.put(EXTERNAL_PARAMETER_ENTITIES, Boolean.TRUE);
+        fFeatures.put(CONTINUE_AFTER_FATAL_ERROR, Boolean.FALSE);
+        fFeatures.put(LOAD_EXTERNAL_DTD, Boolean.TRUE);
+        fFeatures.put(SCHEMA_ELEMENT_DEFAULT, Boolean.TRUE);
+        fFeatures.put(NORMALIZE_DATA, Boolean.TRUE);
+        fFeatures.put(SCHEMA_AUGMENT_PSVI, Boolean.TRUE);
+        fFeatures.put(GENERATE_SYNTHETIC_ANNOTATIONS, Boolean.FALSE);
+        fFeatures.put(VALIDATE_ANNOTATIONS, Boolean.FALSE);
+        fFeatures.put(HONOUR_ALL_SCHEMALOCATIONS, Boolean.FALSE);
+        fFeatures.put(NAMESPACE_GROWTH, Boolean.FALSE);
+        fFeatures.put(TOLERATE_DUPLICATES, Boolean.FALSE);
+        fFeatures.put(USE_GRAMMAR_POOL_ONLY, Boolean.FALSE);
+        fFeatures.put(PARSER_SETTINGS, Boolean.TRUE);
+        fFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 
         // add default recognized properties
         final String[] recognizedProperties =
             {
-                SYMBOL_TABLE,
-                ERROR_HANDLER,
-                ENTITY_RESOLVER,
+                                SYMBOL_TABLE,
+                                ERROR_HANDLER,
+                                ENTITY_RESOLVER,
                 ERROR_REPORTER,
                 ENTITY_MANAGER,
                 DOCUMENT_SCANNER,
                 DTD_SCANNER,
                 DTD_PROCESSOR,
                 DTD_VALIDATOR,
-                DATATYPE_VALIDATOR_FACTORY,
-                VALIDATION_MANAGER,
-                SCHEMA_VALIDATOR,
-                XML_STRING,
+                                DATATYPE_VALIDATOR_FACTORY,
+                                VALIDATION_MANAGER,
+                                SCHEMA_VALIDATOR,
+                                XML_STRING,
                 XMLGRAMMAR_POOL,
                 JAXP_SCHEMA_SOURCE,
                 JAXP_SCHEMA_LANGUAGE,
@@ -531,19 +534,20 @@
                 SCHEMA_NONS_LOCATION,
                 LOCALE,
                 SCHEMA_DV_FACTORY,
+                SECURITY_MANAGER,
                 XML_SECURITY_PROPERTY_MANAGER
         };
         addRecognizedProperties(recognizedProperties);
 
-        if (symbolTable == null) {
-                symbolTable = new SymbolTable();
-        }
-        fSymbolTable = symbolTable;
-        fProperties.put(SYMBOL_TABLE, fSymbolTable);
+                if (symbolTable == null) {
+                        symbolTable = new SymbolTable();
+                }
+                fSymbolTable = symbolTable;
+                fProperties.put(SYMBOL_TABLE, fSymbolTable);
 
         fGrammarPool = grammarPool;
         if (fGrammarPool != null) {
-            fProperties.put(XMLGRAMMAR_POOL, fGrammarPool);
+                        fProperties.put(XMLGRAMMAR_POOL, fGrammarPool);
         }
 
         fEntityManager = new XMLEntityManager();
@@ -579,8 +583,6 @@
 
         fVersionDetector = new XMLVersionDetector();
 
-        fProperties.put(XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager());
-
         // add message formatters
         if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {
             XMLMessageFormatter xmft = new XMLMessageFormatter();
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XMLParser.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/XMLParser.java	Fri Oct 11 19:49:44 2013 +0100
@@ -23,6 +23,8 @@
 import java.io.IOException;
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
@@ -78,6 +80,13 @@
     /** The parser configuration. */
     protected XMLParserConfiguration fConfiguration;
 
+    /** The XML Security Manager. */
+    XMLSecurityManager securityManager;
+
+    /** The XML Security Property Manager. */
+    XMLSecurityPropertyManager securityPropertyManager;
+
+
     //
     // Constructors
     //
@@ -118,6 +127,15 @@
      */
     public void parse(XMLInputSource inputSource)
         throws XNIException, IOException {
+        // null indicates that the parser is called directly, initialize them
+        if (securityManager == null) {
+            securityManager = new XMLSecurityManager(true);
+            fConfiguration.setProperty(Constants.SECURITY_MANAGER, securityManager);
+        }
+        if (securityPropertyManager == null) {
+            securityPropertyManager = new XMLSecurityPropertyManager();
+            fConfiguration.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, securityPropertyManager);
+        }
 
         reset();
         fConfiguration.parse(inputSource);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -61,8 +61,6 @@
 
 package com.sun.org.apache.xerces.internal.util;
 import com.sun.org.apache.xerces.internal.impl.Constants;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 /**
  * This class is a container for parser settings that relate to
  * security, or more specifically, it is intended to be used to prevent denial-of-service
@@ -79,7 +77,6 @@
  *
  * @author  Neil Graham, IBM
  *
- * @version $Id: SecurityManager.java,v 1.5 2010-11-01 04:40:14 joehw Exp $
  */
 public final class SecurityManager {
 
@@ -179,48 +176,40 @@
 
         private void readSystemProperties(){
 
-            //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
-            try {
-                    String value = getSystemProperty(Constants.ENTITY_EXPANSION_LIMIT);
-                    if(value != null && !value.equals("")){
-                            entityExpansionLimit = Integer.parseInt(value);
-                            if (entityExpansionLimit < 0)
-                                    entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-                    }
-                    else
-                            entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-            }catch(Exception ex){}
+                try {
+                        String value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT);
+                        if(value != null && !value.equals("")){
+                                entityExpansionLimit = Integer.parseInt(value);
+                                if (entityExpansionLimit < 0)
+                                        entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
+                        }
+                        else
+                                entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
+                }catch(Exception ex){}
 
-            try {
-                    String value = getSystemProperty(Constants.MAX_OCCUR_LIMIT);
-                    if(value != null && !value.equals("")){
-                            maxOccurLimit = Integer.parseInt(value);
-                            if (maxOccurLimit < 0)
-                                    maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
-                    }
-                    else
-                            maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
-            }catch(Exception ex){}
+                try {
+                        String value = System.getProperty(Constants.MAX_OCCUR_LIMIT);
+                        if(value != null && !value.equals("")){
+                                maxOccurLimit = Integer.parseInt(value);
+                                if (maxOccurLimit < 0)
+                                        maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
+                        }
+                        else
+                                maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
+                }catch(Exception ex){}
 
-            try {
-                    String value = getSystemProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
-                    if(value != null && !value.equals("")){
-                            fElementAttributeLimit = Integer.parseInt(value);
-                            if ( fElementAttributeLimit < 0)
-                                    fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-                    }
-                    else
-                            fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
+                try {
+                        String value = System.getProperty(Constants.ELEMENT_ATTRIBUTE_LIMIT);
+                        if(value != null && !value.equals("")){
+                                fElementAttributeLimit = Integer.parseInt(value);
+                                if ( fElementAttributeLimit < 0)
+                                        fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
+                        }
+                        else
+                                fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
 
                 }catch(Exception ex){}
 
         }
 
-    private String getSystemProperty(final String propName) {
-        return AccessController.doPrivileged(new PrivilegedAction<String>() {
-            public String run() {
-                return System.getProperty(propName);
-            }
-        });
-    }
 } // class SecurityManager
--- a/jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java	Fri Oct 11 19:49:44 2013 +0100
@@ -173,7 +173,7 @@
         for (int i = 0; i < length; i++) {
             code = code * 37 + symbol.charAt(i);
         }
-        return code & 0x7FFFFFF;
+        return code & 0x7FFFFFFF;
 
     } // hash(String):int
 
@@ -194,7 +194,7 @@
         for (int i = 0; i < length; i++) {
             code = code * 37 + buffer[offset + i];
         }
-        return code & 0x7FFFFFF;
+        return code & 0x7FFFFFFF;
 
     } // hash(char[],int,int):int
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLLimitAnalyzer.java	Fri Oct 11 19:49:44 2013 +0100
@@ -0,0 +1,239 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
+ *
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ *
+ * The contents of this file are subject to the terms of either the GNU
+ * General Public License Version 2 only ("GPL") or the Common Development
+ * and Distribution License("CDDL") (collectively, the "License").  You
+ * may not use this file except in compliance with the License.  You can
+ * obtain a copy of the License at
+ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
+ * or packager/legal/LICENSE.txt.  See the License for the specific
+ * language governing permissions and limitations under the License.
+ *
+ * When distributing the software, include this License Header Notice in each
+ * file and include the License file at packager/legal/LICENSE.txt.
+ *
+ * GPL Classpath Exception:
+ * Oracle designates this particular file as subject to the "Classpath"
+ * exception as provided by Oracle in the GPL Version 2 section of the License
+ * file that accompanied this code.
+ *
+ * Modifications:
+ * If applicable, add the following below the License Header, with the fields
+ * enclosed by brackets [] replaced by your own identifying information:
+ * "Portions Copyright [year] [name of copyright owner]"
+ *
+ * Contributor(s):
+ * If you wish your version of this file to be governed by only the CDDL or
+ * only the GPL Version 2, indicate your decision by adding "[Contributor]
+ * elects to include this software in this distribution under the [CDDL or GPL
+ * Version 2] license."  If you don't indicate a single choice of license, a
+ * recipient has the option to distribute your version of this file under
+ * either the CDDL, the GPL Version 2 or to extend the choice of license to
+ * its licensees as provided above.  However, if you add GPL Version 2 code
+ * and therefore, elected the GPL Version 2 license, then the option applies
+ * only if the new code is made subject to such option by the copyright
+ * holder.
+ */
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager.Limit;
+import java.util.Formatter;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * A helper for analyzing entity expansion limits
+ *
+ * @author Joe Wang Oracle Corp.
+ *
+ */
+public final class XMLLimitAnalyzer {
+
+    /**
+     * Map old property names with the new ones
+     */
+    public static enum NameMap {
+        ENTITY_EXPANSION_LIMIT(Constants.SP_ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT),
+        MAX_OCCUR_NODE_LIMIT(Constants.SP_MAX_OCCUR_LIMIT, Constants.MAX_OCCUR_LIMIT),
+        ELEMENT_ATTRIBUTE_LIMIT(Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, Constants.ELEMENT_ATTRIBUTE_LIMIT);
+
+        final String newName;
+        final String oldName;
+
+        NameMap(String newName, String oldName) {
+            this.newName = newName;
+            this.oldName = oldName;
+        }
+
+        String getOldName(String newName) {
+            if (newName.equals(this.newName)) {
+                return oldName;
+            }
+            return null;
+        }
+    }
+
+    private XMLSecurityManager securityManager;
+    /**
+     * Max value accumulated for each property
+     */
+    private final int[] values;
+    /**
+     * Names of the entities corresponding to their max values
+     */
+    private final String[] names;
+    /**
+     * Total value of accumulated entities
+     */
+    private final int[] totalValue;
+
+    /**
+     * Maintain values of the top 10 elements in the process of parsing
+     */
+    private final Map[] caches;
+
+    private String entityStart, entityEnd;
+    /**
+     * Default constructor. Establishes default values for known security
+     * vulnerabilities.
+     */
+    public XMLLimitAnalyzer(XMLSecurityManager securityManager) {
+        this.securityManager = securityManager;
+        values = new int[Limit.values().length];
+        totalValue = new int[Limit.values().length];
+        names = new String[Limit.values().length];
+        caches = new Map[Limit.values().length];
+    }
+
+    /**
+     * Add the value to the current max count for the specified property
+     * To find the max value of all entities, set no limit
+     *
+     * @param limit the type of the property
+     * @param entityName the name of the entity
+     * @param value the value of the entity
+     */
+    public void addValue(Limit limit, String entityName, int value) {
+        addValue(limit.ordinal(), entityName, value);
+    }
+
+    /**
+     * Add the value to the current count by the index of the property
+     * @param index the index of the property
+     * @param entityName the name of the entity
+     * @param value the value of the entity
+     */
+    public void addValue(int index, String entityName, int value) {
+        if (index == Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
+                index == Limit.MAX_OCCUR_NODE_LIMIT.ordinal() ||
+                index == Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal()) {
+            totalValue[index] += value;
+            return;
+        }
+
+        Map<String, Integer> cache;
+        if (caches[index] == null) {
+            cache = new HashMap<String, Integer>(10);
+            caches[index] = cache;
+        } else {
+            cache = caches[index];
+        }
+
+        int accumulatedValue = value;
+        if (cache.containsKey(entityName)) {
+            accumulatedValue += cache.get(entityName).intValue();
+            cache.put(entityName, Integer.valueOf(accumulatedValue));
+        } else {
+            cache.put(entityName, Integer.valueOf(value));
+        }
+
+        if (accumulatedValue > values[index]) {
+            values[index] = accumulatedValue;
+            names[index] = entityName;
+        }
+
+
+        if (index == Limit.GENEAL_ENTITY_SIZE_LIMIT.ordinal() ||
+                index == Limit.PARAMETER_ENTITY_SIZE_LIMIT.ordinal()) {
+            totalValue[Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()] += value;
+        }
+    }
+
+    /**
+     * Return the value of the current max count for the specified property
+     *
+     * @param limit the property
+     * @return the value of the property
+     */
+    public int getValue(Limit limit) {
+        return values[limit.ordinal()];
+    }
+
+    public int getValue(int index) {
+        return values[index];
+    }
+    /**
+     * Return the total value accumulated so far
+     *
+     * @param limit the property
+     * @return the accumulated value of the property
+     */
+    public int getTotalValue(Limit limit) {
+        return totalValue[limit.ordinal()];
+    }
+
+    public int getTotalValue(int index) {
+        return totalValue[index];
+    }
+    /**
+     * Return the current max value (count or length) by the index of a property
+     * @param index the index of a property
+     * @return count of a property
+     */
+    public int getValueByIndex(int index) {
+        return values[index];
+    }
+
+    public void startEntity(String name) {
+        entityStart = name;
+    }
+
+    public boolean isTracking(String name) {
+        if (entityStart == null) {
+            return false;
+        }
+        return entityStart.equals(name);
+    }
+    /**
+     * Stop tracking the entity
+     * @param limit the limit property
+     * @param name the name of an entity
+     */
+    public void endEntity(Limit limit, String name) {
+        entityStart = "";
+        Map<String, Integer> cache = caches[limit.ordinal()];
+        if (cache != null) {
+            cache.remove(name);
+        }
+    }
+
+    public void debugPrint() {
+        Formatter formatter = new Formatter();
+        System.out.println(formatter.format("%30s %15s %15s %15s %30s",
+                "Property","Limit","Total size","Size","Entity Name"));
+
+        for (Limit limit : Limit.values()) {
+            formatter = new Formatter();
+            System.out.println(formatter.format("%30s %15d %15d %15d %30s",
+                    limit.name(),
+                    securityManager.getLimit(limit),
+                    totalValue[limit.ordinal()],
+                    values[limit.ordinal()],
+                    names[limit.ordinal()]));
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -0,0 +1,555 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import com.sun.org.apache.xerces.internal.util.SecurityManager;
+
+/**
+ * This class manages standard and implementation-specific limitations.
+ *
+ */
+public final class XMLSecurityManager {
+
+    /**
+     * States of the settings of a property, in the order: default value, value
+     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+     * properties, and jaxp api properties
+     */
+    public static enum State {
+        //this order reflects the overriding order
+
+        DEFAULT("default"), FSP("FEATURE_SECURE_PROCESSING"),
+        JAXPDOTPROPERTIES("jaxp.properties"), SYSTEMPROPERTY("system property"),
+        APIPROPERTY("property");
+
+        final String literal;
+        State(String literal) {
+            this.literal = literal;
+        }
+
+        String literal() {
+            return literal;
+        }
+    }
+
+    /**
+     * Limits managed by the security manager
+     */
+    public static enum Limit {
+
+        ENTITY_EXPANSION_LIMIT(Constants.JDK_ENTITY_EXPANSION_LIMIT, Constants.SP_ENTITY_EXPANSION_LIMIT, 0, 64000),
+        MAX_OCCUR_NODE_LIMIT(Constants.JDK_MAX_OCCUR_LIMIT, Constants.SP_MAX_OCCUR_LIMIT, 0, 5000),
+        ELEMENT_ATTRIBUTE_LIMIT(Constants.JDK_ELEMENT_ATTRIBUTE_LIMIT, Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, 0, 10000),
+        TOTAL_ENTITY_SIZE_LIMIT(Constants.JDK_TOTAL_ENTITY_SIZE_LIMIT, Constants.SP_TOTAL_ENTITY_SIZE_LIMIT, 0, 50000000),
+        GENEAL_ENTITY_SIZE_LIMIT(Constants.JDK_GENEAL_ENTITY_SIZE_LIMIT, Constants.SP_GENEAL_ENTITY_SIZE_LIMIT, 0, 0),
+        PARAMETER_ENTITY_SIZE_LIMIT(Constants.JDK_PARAMETER_ENTITY_SIZE_LIMIT, Constants.SP_PARAMETER_ENTITY_SIZE_LIMIT, 0, 1000000);
+
+        final String apiProperty;
+        final String systemProperty;
+        final int defaultValue;
+        final int secureValue;
+
+        Limit(String apiProperty, String systemProperty, int value, int secureValue) {
+            this.apiProperty = apiProperty;
+            this.systemProperty = systemProperty;
+            this.defaultValue = value;
+            this.secureValue = secureValue;
+        }
+
+        public boolean equalsAPIPropertyName(String propertyName) {
+            return (propertyName == null) ? false : apiProperty.equals(propertyName);
+        }
+
+        public boolean equalsSystemPropertyName(String propertyName) {
+            return (propertyName == null) ? false : systemProperty.equals(propertyName);
+        }
+
+        public String apiProperty() {
+            return apiProperty;
+        }
+
+        String systemProperty() {
+            return systemProperty;
+        }
+
+        int defaultValue() {
+            return defaultValue;
+        }
+
+        int secureValue() {
+            return secureValue;
+        }
+    }
+
+    /**
+     * Map old property names with the new ones
+     */
+    public static enum NameMap {
+
+        ENTITY_EXPANSION_LIMIT(Constants.SP_ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT),
+        MAX_OCCUR_NODE_LIMIT(Constants.SP_MAX_OCCUR_LIMIT, Constants.MAX_OCCUR_LIMIT),
+        ELEMENT_ATTRIBUTE_LIMIT(Constants.SP_ELEMENT_ATTRIBUTE_LIMIT, Constants.ELEMENT_ATTRIBUTE_LIMIT);
+        final String newName;
+        final String oldName;
+
+        NameMap(String newName, String oldName) {
+            this.newName = newName;
+            this.oldName = oldName;
+        }
+
+        String getOldName(String newName) {
+            if (newName.equals(this.newName)) {
+                return oldName;
+            }
+            return null;
+        }
+    }
+    private static final int NO_LIMIT = 0;
+    /**
+     * Values of the properties
+     */
+    private final int[] values;
+    /**
+     * States of the settings for each property
+     */
+    private State[] states;
+    /**
+     * Flag indicating if secure processing is set
+     */
+    boolean secureProcessing;
+
+    /**
+     * States that determine if properties are set explicitly
+     */
+    private boolean[] isSet;
+
+
+    private XMLLimitAnalyzer limitAnalyzer;
+    /**
+     * Index of the special entityCountInfo property
+     */
+    private int indexEntityCountInfo = 10000;
+    private String printEntityCountInfo = "";
+
+    /**
+     * Default constructor. Establishes default values for known security
+     * vulnerabilities.
+     */
+    public XMLSecurityManager() {
+        this(false);
+    }
+
+    /**
+     * Instantiate Security Manager in accordance with the status of
+     * secure processing
+     * @param secureProcessing
+     */
+    public XMLSecurityManager(boolean secureProcessing) {
+        limitAnalyzer = new XMLLimitAnalyzer(this);
+        values = new int[Limit.values().length];
+        states = new State[Limit.values().length];
+        isSet = new boolean[Limit.values().length];
+        this.secureProcessing = secureProcessing;
+        for (Limit limit : Limit.values()) {
+            if (secureProcessing) {
+                values[limit.ordinal()] = limit.secureValue;
+                states[limit.ordinal()] = State.FSP;
+            } else {
+                values[limit.ordinal()] = limit.defaultValue();
+                states[limit.ordinal()] = State.DEFAULT;
+            }
+        }
+        //read system properties or jaxp.properties
+        readSystemProperties();
+    }
+
+    /**
+     * Setting FEATURE_SECURE_PROCESSING explicitly
+     */
+    public void setSecureProcessing(boolean secure) {
+        secureProcessing = secure;
+        for (Limit limit : Limit.values()) {
+            if (secure) {
+                setLimit(limit.ordinal(), State.FSP, limit.secureValue());
+            } else {
+                setLimit(limit.ordinal(), State.FSP, limit.defaultValue());
+            }
+        }
+    }
+
+    /**
+     * Return the state of secure processing
+     * @return the state of secure processing
+     */
+    public boolean isSecureProcessing() {
+        return secureProcessing;
+    }
+
+
+    /**
+     * Set limit by property name and state
+     * @param propertyName property name
+     * @param state the state of the property
+     * @param value the value of the property
+     * @return true if the property is managed by the security manager; false
+     *              if otherwise.
+     */
+    public boolean setLimit(String propertyName, State state, Object value) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            setLimit(index, state, value);
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Set the value for a specific limit.
+     *
+     * @param limit the limit
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(Limit limit, State state, int value) {
+        setLimit(limit.ordinal(), state, value);
+    }
+
+    /**
+     * Set the value of a property by its index
+     *
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(int index, State state, Object value) {
+        if (index == indexEntityCountInfo) {
+            printEntityCountInfo = (String)value;
+        } else {
+            int temp = 0;
+            try {
+                temp = Integer.parseInt((String) value);
+                if (temp < 0) {
+                    temp = 0;
+                }
+            } catch (NumberFormatException e) {}
+            setLimit(index, state, temp);
+        }
+    }
+
+    /**
+     * Set the value of a property by its index
+     *
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setLimit(int index, State state, int value) {
+        if (index == indexEntityCountInfo) {
+            //if it's explicitly set, it's treated as yes no matter the value
+            printEntityCountInfo = Constants.JDK_YES;
+        } else {
+            //only update if it shall override
+            if (state.compareTo(states[index]) >= 0) {
+                values[index] = value;
+                states[index] = state;
+                isSet[index] = true;
+            }
+        }
+    }
+
+    /**
+     * Return the value of the specified property
+     *
+     * @param propertyName the property name
+     * @return the value of the property as a string. If a property is managed
+     * by this manager, its value shall not be null.
+     */
+    public String getLimitAsString(String propertyName) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            return getLimitValueByIndex(index);
+        }
+
+        return null;
+    }
+    /**
+     * Return the value of the specified property
+     *
+     * @param limit the property
+     * @return the value of the property
+     */
+    public int getLimit(Limit limit) {
+        return values[limit.ordinal()];
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     *
+     * @param limit the property
+     * @return value of a property
+     */
+    public String getLimitValueAsString(Limit limit) {
+        return Integer.toString(values[limit.ordinal()]);
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     *
+     * @param index the index of a property
+     * @return limit of a property as a string
+     */
+    public String getLimitValueByIndex(int index) {
+        if (index == indexEntityCountInfo) {
+            return printEntityCountInfo;
+        }
+
+        return Integer.toString(values[index]);
+    }
+
+    /**
+     * Return the state of the limit property
+     *
+     * @param limit the limit
+     * @return the state of the limit property
+     */
+    public State getState(Limit limit) {
+        return states[limit.ordinal()];
+    }
+
+    /**
+     * Return the state of the limit property
+     *
+     * @param limit the limit
+     * @return the state of the limit property
+     */
+    public String getStateLiteral(Limit limit) {
+        return states[limit.ordinal()].literal();
+    }
+
+    /**
+     * Get the index by property name
+     *
+     * @param propertyName property name
+     * @return the index of the property if found; return -1 if not
+     */
+    public int getIndex(String propertyName) {
+        for (Limit limit : Limit.values()) {
+            if (limit.equalsAPIPropertyName(propertyName)) {
+                //internally, ordinal is used as index
+                return limit.ordinal();
+            }
+        }
+        //special property to return entity count info
+        if (propertyName.equals(Constants.JDK_ENTITY_COUNT_INFO)) {
+            return indexEntityCountInfo;
+        }
+        return -1;
+    }
+
+    /**
+     * Check if there's no limit defined by the Security Manager
+     * @param limit
+     * @return
+     */
+    public boolean isNoLimit(int limit) {
+        return limit==NO_LIMIT;
+    }
+    /**
+     * Check if the size (length or count) of the specified limit property is
+     * over the limit
+     *
+     * @param limit the type of the limit property
+     * @param entityName the name of the entity
+     * @param size the size (count or length) of the entity
+     * @return true if the size is over the limit, false otherwise
+     */
+    public boolean isOverLimit(Limit limit, String entityName, int size) {
+        return isOverLimit(limit.ordinal(), entityName, size);
+    }
+
+    /**
+     * Check if the value (length or count) of the specified limit property is
+     * over the limit
+     *
+     * @param index the index of the limit property
+     * @param entityName the name of the entity
+     * @param size the size (count or length) of the entity
+     * @return true if the size is over the limit, false otherwise
+     */
+    public boolean isOverLimit(int index, String entityName, int size) {
+        if (values[index] == NO_LIMIT) {
+            return false;
+        }
+        if (size > values[index]) {
+            limitAnalyzer.addValue(index, entityName, size);
+            return true;
+        }
+        return false;
+    }
+
+    /**
+     * Check against cumulated value
+     *
+     * @param limit the type of the limit property
+     * @param size the size (count or length) of the entity
+     * @return true if the size is over the limit, false otherwise
+     */
+    public boolean isOverLimit(Limit limit) {
+        return isOverLimit(limit.ordinal());
+    }
+
+    public boolean isOverLimit(int index) {
+        if (values[index] == NO_LIMIT) {
+            return false;
+        }
+
+        if (index==Limit.ELEMENT_ATTRIBUTE_LIMIT.ordinal() ||
+                index==Limit.ENTITY_EXPANSION_LIMIT.ordinal() ||
+                index==Limit.TOTAL_ENTITY_SIZE_LIMIT.ordinal()) {
+            return (limitAnalyzer.getTotalValue(index) > values[index]);
+        } else {
+            return (limitAnalyzer.getValue(index) > values[index]);
+        }
+    }
+
+    public void debugPrint() {
+        if (printEntityCountInfo.equals(Constants.JDK_YES)) {
+            limitAnalyzer.debugPrint();
+        }
+    }
+
+    /**
+     * Return the limit analyzer
+     *
+     * @return the limit analyzer
+     */
+    public XMLLimitAnalyzer getLimitAnalyzer() {
+        return limitAnalyzer;
+    }
+
+    /**
+     * Set limit analyzer
+     *
+     * @param analyzer a limit analyzer
+     */
+    public void setLimitAnalyzer(XMLLimitAnalyzer analyzer) {
+        limitAnalyzer = analyzer;
+    }
+
+    /**
+     * Indicate if a property is set explicitly
+     * @param index
+     * @return
+     */
+    public boolean isSet(int index) {
+        return isSet[index];
+    }
+
+    public boolean printEntityCountInfo() {
+        return printEntityCountInfo.equals(Constants.JDK_YES);
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     */
+    private void readSystemProperties() {
+
+        for (Limit limit : Limit.values()) {
+            if (!getSystemProperty(limit, limit.systemProperty())) {
+                //if system property is not found, try the older form if any
+                for (NameMap nameMap : NameMap.values()) {
+                    String oldName = nameMap.getOldName(limit.systemProperty());
+                    if (oldName != null) {
+                        getSystemProperty(limit, oldName);
+                    }
+                }
+            }
+        }
+
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     *
+     * @param property the type of the property
+     * @param sysPropertyName the name of system property
+     */
+    private boolean getSystemProperty(Limit limit, String sysPropertyName) {
+        try {
+            String value = SecuritySupport.getSystemProperty(sysPropertyName);
+            if (value != null && !value.equals("")) {
+                values[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.SYSTEMPROPERTY;
+                return true;
+            }
+
+            value = SecuritySupport.readJAXPProperty(sysPropertyName);
+            if (value != null && !value.equals("")) {
+                values[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
+                return true;
+            }
+        } catch (NumberFormatException e) {
+            //invalid setting
+            throw new NumberFormatException("Invalid setting for system property: " + limit.systemProperty());
+        }
+        return false;
+    }
+
+
+    /**
+     * Convert a value set through setProperty to XMLSecurityManager.
+     * If the value is an instance of XMLSecurityManager, use it to override the default;
+     * If the value is an old SecurityManager, convert to the new XMLSecurityManager.
+     *
+     * @param value user specified security manager
+     * @param securityManager an instance of XMLSecurityManager
+     * @return an instance of the new security manager XMLSecurityManager
+     */
+    static public XMLSecurityManager convert(Object value, XMLSecurityManager securityManager) {
+        if (value == null) {
+            if (securityManager == null) {
+                securityManager = new XMLSecurityManager(true);
+            }
+            return securityManager;
+        }
+        if (XMLSecurityManager.class.isAssignableFrom(value.getClass())) {
+            return (XMLSecurityManager)value;
+        } else {
+            if (securityManager == null) {
+                securityManager = new XMLSecurityManager(true);
+            }
+            if (SecurityManager.class.isAssignableFrom(value.getClass())) {
+                SecurityManager origSM = (SecurityManager)value;
+                securityManager.setLimit(Limit.MAX_OCCUR_NODE_LIMIT, State.APIPROPERTY, origSM.getMaxOccurNodeLimit());
+                securityManager.setLimit(Limit.ENTITY_EXPANSION_LIMIT, State.APIPROPERTY, origSM.getEntityExpansionLimit());
+                securityManager.setLimit(Limit.ELEMENT_ATTRIBUTE_LIMIT, State.APIPROPERTY, origSM.getElementAttrLimit());
+            }
+            return securityManager;
+        }
+    }
+}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -91,6 +91,24 @@
         readSystemProperties();
     }
 
+
+    /**
+     * Set limit by property name and state
+     * @param propertyName property name
+     * @param state the state of the property
+     * @param value the value of the property
+     * @return true if the property is managed by the security property manager;
+     *         false if otherwise.
+     */
+    public boolean setValue(String propertyName, State state, Object value) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            setValue(index, state, (String)value);
+            return true;
+        }
+        return false;
+    }
+
     /**
      * Set the value for a specific property.
      *
@@ -119,6 +137,23 @@
             states[index] = state;
         }
     }
+
+
+    /**
+     * Return the value of the specified property
+     *
+     * @param propertyName the property name
+     * @return the value of the property as a string
+     */
+    public String getValue(String propertyName) {
+        int index = getIndex(propertyName);
+        if (index > -1) {
+            return getValueByIndex(index);
+        }
+
+        return null;
+    }
+
     /**
      * Return the value of the specified property
      *
--- a/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java	Fri Oct 11 19:49:44 2013 +0100
@@ -37,7 +37,6 @@
 import com.sun.org.apache.xerces.internal.util.HTTPInputSource;
 import com.sun.org.apache.xerces.internal.util.IntStack;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
@@ -45,6 +44,7 @@
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -289,7 +289,7 @@
     protected SymbolTable fSymbolTable;
     protected XMLErrorReporter fErrorReporter;
     protected XMLEntityResolver fEntityResolver;
-    protected SecurityManager fSecurityManager;
+    protected XMLSecurityManager fSecurityManager;
     protected XMLSecurityPropertyManager fSecurityPropertyMgr;
 
     // these are needed for text include processing
@@ -517,8 +517,8 @@
 
         // Get security manager.
         try {
-            SecurityManager value =
-                (SecurityManager)componentManager.getProperty(
+            XMLSecurityManager value =
+                (XMLSecurityManager)componentManager.getProperty(
                     SECURITY_MANAGER);
 
             if (value != null) {
@@ -674,7 +674,7 @@
             return;
         }
         if (propertyId.equals(SECURITY_MANAGER)) {
-            fSecurityManager = (SecurityManager)value;
+            fSecurityManager = (XMLSecurityManager)value;
             if (fChildConfig != null) {
                 fChildConfig.setProperty(propertyId, value);
             }
--- a/jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java	Fri Oct 11 19:49:44 2013 +0100
@@ -25,12 +25,15 @@
 import com.sun.org.apache.xalan.internal.XalanConstants;
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
 import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityManager;
 import java.util.HashMap;
+
 import javax.xml.XMLConstants;
 import javax.xml.parsers.FactoryConfigurationError;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.XMLReader;
 import org.xml.sax.helpers.XMLReaderFactory;
 
@@ -63,11 +66,15 @@
     private HashMap m_inUse;
 
     private boolean m_useServicesMechanism = true;
+
+    private boolean _secureProcessing;
      /**
      * protocols allowed for external DTD references in source file and/or stylesheet.
      */
     private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
 
+    private XMLSecurityManager _xmlSecurityManager;
+
     /**
      * Hidden constructor
      */
@@ -118,7 +125,12 @@
                     // TransformerFactory creates a reader via the
                     // XMLReaderFactory if setXMLReader is not used
                     reader = XMLReaderFactory.createXMLReader();
-
+                    try {
+                        reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, _secureProcessing);
+                    } catch (SAXNotRecognizedException e) {
+                        System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                                + e.getMessage());
+                    }
                 } catch (Exception e) {
                    try {
                         // If unable to create an instance, let's try to use
@@ -164,6 +176,21 @@
                         + se.getMessage());
         }
 
+        try {
+            if (_xmlSecurityManager != null) {
+                for (XMLSecurityManager.Limit limit : XMLSecurityManager.Limit.values()) {
+                    reader.setProperty(limit.apiProperty(),
+                            _xmlSecurityManager.getLimitValueAsString(limit));
+                }
+                if (_xmlSecurityManager.printEntityCountInfo()) {
+                    reader.setProperty(XalanConstants.JDK_ENTITY_COUNT_INFO, XalanConstants.JDK_YES);
+                }
+            }
+        } catch (SAXException se) {
+            System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                        + se.getMessage());
+        }
+
         return reader;
     }
 
@@ -195,11 +222,22 @@
     }
 
     /**
+     * Set feature
+     */
+    public void setFeature(String name, boolean value) {
+        if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
+            _secureProcessing = value;
+        }
+    }
+
+    /**
      * Get property value
      */
-    public String getProperty(String name) {
+    public Object getProperty(String name) {
         if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
             return _accessExternalDTD;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            return _xmlSecurityManager;
         }
         return null;
     }
@@ -207,9 +245,11 @@
     /**
      * Set property.
      */
-    public void setProperty(String name, String value) {
+    public void setProperty(String name, Object value) {
         if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
             _accessExternalDTD = (String)value;
+        } else if (name.equals(XalanConstants.SECURITY_MANAGER)) {
+            _xmlSecurityManager = (XMLSecurityManager)value;
         }
     }
 }
--- a/jaxp/src/javax/xml/stream/FactoryFinder.java	Thu Oct 10 21:22:52 2013 -0700
+++ b/jaxp/src/javax/xml/stream/FactoryFinder.java	Fri Oct 11 19:49:44 2013 +0100
@@ -253,7 +253,13 @@
 
         // Use the system property first
         try {
-            String systemProp = ss.getSystemProperty(factoryId);
+
+            final String systemProp;
+            if (type.getName().equals(factoryId)) {
+                systemProp = ss.getSystemProperty(factoryId);
+            } else {
+                systemProp = System.getProperty(factoryId);
+            }
             if (systemProp != null) {
                 dPrint("found system property, value=" + systemProp);
                 // There's a bug here - because 'cl' is ignored.
@@ -262,7 +268,8 @@
             }
         }
         catch (SecurityException se) {
-            if (debug) se.printStackTrace();
+            throw new FactoryConfigurationError(
+                    "Failed to read factoryId '" + factoryId + "'", se);
         }
 
         // Try read $java.home/lib/stax.properties followed by