8015630: Remove default restriction settings of jaxp 1.5 properties in JDK8
Reviewed-by: alanb
--- a/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Mon Jun 03 16:09:15 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java Tue Jun 04 09:35:12 2013 -0700
@@ -80,59 +80,6 @@
/**
* FEATURE_SECURE_PROCESSING (FSP) is false by default
*/
- public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(false);
-
- /**
- * Determine the default value of the external access properties
- *
- * jaxp 1.5 does not require implementations to restrict by default
- *
- * For JDK8:
- * The default value is 'file' (including jar:file); The keyword "all" grants permission
- * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on,
- * the default value is an empty string indicating no access is allowed.
- *
- * For JDK7:
- * The default value is 'all' granting permission to all protocols. If by default,
- * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should
- * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING}
- * is set explicitly, the values of the properties shall be set to an empty string
- * indicating no access is allowed.
- *
- * @param isSecureProcessing indicating if Secure Processing is set
- * @return default value
- */
- public static String getExternalAccessDefault(boolean isSecureProcessing) {
- String defaultValue = "all";
- if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) {
- defaultValue = "file";
- if (isSecureProcessing) {
- defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP;
- }
- }
- return defaultValue;
- }
-
- /*
- * Check the version of the current JDK against that specified in the
- * parameter
- *
- * There is a proposal to change the java version string to:
- * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
- * This method would work with both the current format and that proposed
- *
- * @param compareTo a JDK version to be compared to
- * @return true if the current version is the same or above that represented
- * by the parameter
- */
- public static boolean isJDKandAbove(int compareTo) {
- String javaVersion = SecuritySupport.getSystemProperty("java.version");
- String versions[] = javaVersion.split("\\.", 3);
- if (Integer.parseInt(versions[0]) >= compareTo ||
- Integer.parseInt(versions[1]) >= compareTo) {
- return true;
- }
- return false;
- }
+ public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
} // class Constants
--- a/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Mon Jun 03 16:09:15 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java Tue Jun 04 09:35:12 2013 -0700
@@ -253,7 +253,6 @@
if (System.getSecurityManager() != null) {
_isSecureMode = true;
_isNotSecureProcessing = false;
- defaultAccess = XalanConstants.getExternalAccessDefault(true);
}
_accessExternalStylesheet = SecuritySupport.getDefaultAccessProperty(
XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Mon Jun 03 16:09:15 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java Tue Jun 04 09:35:12 2013 -0700
@@ -202,7 +202,7 @@
/**
* FEATURE_SECURE_PROCESSING (FSP) is true by default
*/
- public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(true);
+ public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
//
// DOM features
@@ -697,58 +697,6 @@
? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration;
} // getXercesProperties():Enumeration
- /**
- * Determine the default value of the external access properties
- *
- * jaxp 1.5 does not require implementations to restrict by default
- *
- * For JDK8:
- * The default value is 'file' (including jar:file); The keyword "all" grants permission
- * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on,
- * the default value is an empty string indicating no access is allowed.
- *
- * For JDK7:
- * The default value is 'all' granting permission to all protocols. If by default,
- * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should
- * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING}
- * is set explicitly, the values of the properties shall be set to an empty string
- * indicating no access is allowed.
- *
- * @param isSecureProcessing indicating if Secure Processing is set
- * @return default value
- */
- public static String getExternalAccessDefault(boolean isSecureProcessing) {
- String defaultValue = "all";
- if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) {
- defaultValue = "file";
- if (isSecureProcessing) {
- defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP;
- }
- }
- return defaultValue;
- }
-
- /*
- * Check the version of the current JDK against that specified in the
- * parameter
- *
- * There is a proposal to change the java version string to:
- * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
- * This method would work with both the current format and that proposed
- *
- * @param compareTo a JDK version to be compared to
- * @return true if the current version is the same or above that represented
- * by the parameter
- */
- public static boolean isJDKandAbove(int compareTo) {
- String javaVersion = SecuritySupport.getSystemProperty("java.version");
- String versions[] = javaVersion.split("\\.", 3);
- if (Integer.parseInt(versions[0]) >= compareTo ||
- Integer.parseInt(versions[1]) >= compareTo) {
- return true;
- }
- return false;
- }
//
// Classes
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Mon Jun 03 16:09:15 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java Tue Jun 04 09:35:12 2013 -0700
@@ -364,10 +364,15 @@
SAXMessageFormatter.formatMessage(null,
"jaxp-secureprocessing-feature", null));
}
- fSecurityManager = value ? new SecurityManager() : null;
+ if (value) {
+ fSecurityManager = new SecurityManager();
+ fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+ } else {
+ fSecurityManager = null;
+ }
+
fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
- fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
- fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
return;
} else if (name.equals(Constants.ORACLE_FEATURE_SERVICE_MECHANISM)) {
//in secure mode, let _useServicesMechanism be determined by the constructor