Examples with SecurityManager org.apache.xerces.util.SecurityManager used on opensource projects

Example 1 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project iaf by ibissource.

the class XMLSchemaValidatorComponentManager method setFeature.

/**
 * Set the state of a feature.
 *
 * @param featureId The unique identifier (URI) of the feature.
 * @param state The requested state of the feature (true or false).
 *
 * @exception XMLConfigurationException If the requested feature is not known.
 */
public void setFeature(String featureId, boolean value) throws XMLConfigurationException {
    if (PARSER_SETTINGS.equals(featureId)) {
        throw new XMLConfigurationException(XMLConfigurationException.NOT_SUPPORTED, featureId);
    } else if (value == false && (VALIDATION.equals(featureId) || SCHEMA_VALIDATION.equals(featureId))) {
        throw new XMLConfigurationException(XMLConfigurationException.NOT_SUPPORTED, featureId);
    } else if (USE_GRAMMAR_POOL_ONLY.equals(featureId) && value != fUseGrammarPoolOnly) {
        throw new XMLConfigurationException(XMLConfigurationException.NOT_SUPPORTED, featureId);
    }
    if (XMLConstants.FEATURE_SECURE_PROCESSING.equals(featureId)) {
        setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
        return;
    }
    fConfigUpdated = true;
    fEntityManager.setFeature(featureId, value);
    fErrorReporter.setFeature(featureId, value);
    fSchemaValidator.setFeature(featureId, value);
    if (!fInitFeatures.containsKey(featureId)) {
        boolean current = super.getFeature(featureId);
        fInitFeatures.put(featureId, current ? Boolean.TRUE : Boolean.FALSE);
    }
    super.setFeature(featureId, value);
}

Example 2 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project carbon-apimgt by wso2.

the class APIMWSDLReader method getSecuredDocumentBuilder.

@Deprecated
private static DocumentBuilderFactory getSecuredDocumentBuilder() {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    try {
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    } catch (ParserConfigurationException e) {
        // Skip throwing the error as this exception doesn't break actual DocumentBuilderFactory creation
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE, e);
    }
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return dbf;
}

Example 3 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project carbon-business-process by wso2.

the class Utils method getSecuredDocumentBuilder.

/**
 * Create DocumentBuilderFactory with the XXE and XEE prevention measurements.
 *
 * @return DocumentBuilderFactory instance
 */
public static DocumentBuilderFactory getSecuredDocumentBuilder() {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    try {
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    } catch (ParserConfigurationException e) {
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE + " or secure-processing.");
    }
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return dbf;
}

Example 4 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project carbon-business-process by wso2.

the class DOMUtils method getSecuredDocumentBuilder.

/**
 * Create DocumentBuilderFactory with the XXE and XEE prevention measurements.
 *
 * @return DocumentBuilderFactory instance
 */
public static DocumentBuilderFactory getSecuredDocumentBuilder() {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);
    dbf.setXIncludeAware(false);
    dbf.setExpandEntityReferences(false);
    try {
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
        dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false);
        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    } catch (ParserConfigurationException e) {
        log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE + " or secure-processing.");
    }
    SecurityManager securityManager = new SecurityManager();
    securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT);
    dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager);
    return dbf;
}

Example 5 with SecurityManager

use of org.apache.xerces.util.SecurityManager in project iaf by ibissource.

the class XMLSchemaFactory method setFeature.

public void setFeature(String name, boolean value) throws SAXNotRecognizedException, SAXNotSupportedException {
    if (name == null) {
        throw new NullPointerException(JAXPValidationMessageFormatter.formatMessage(fXMLSchemaLoader.getLocale(), "FeatureNameNull", null));
    }
    if (name.startsWith(JAXP_SOURCE_FEATURE_PREFIX)) {
        if (name.equals(StreamSource.FEATURE) || name.equals(SAXSource.FEATURE) || name.equals(DOMSource.FEATURE) || name.equals(StAXSource.FEATURE)) {
            throw new SAXNotSupportedException(SAXMessageFormatter.formatMessage(fXMLSchemaLoader.getLocale(), "feature-read-only", new Object[] { name }));
        }
    }
    if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
        fSecurityManager = value ? new SecurityManager() : null;
        fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
        return;
    } else if (name.equals(USE_GRAMMAR_POOL_ONLY)) {
        fUseGrammarPoolOnly = value;
        return;
    }
    try {
        fXMLSchemaLoader.setFeature(name, value);
    } catch (XMLConfigurationException e) {
        String identifier = e.getIdentifier();
        if (e.getType() == XMLConfigurationException.NOT_RECOGNIZED) {
            throw new SAXNotRecognizedException(SAXMessageFormatter.formatMessage(fXMLSchemaLoader.getLocale(), "feature-not-recognized", new Object[] { identifier }));
        } else {
            throw new SAXNotSupportedException(SAXMessageFormatter.formatMessage(fXMLSchemaLoader.getLocale(), "feature-not-supported", new Object[] { identifier }));
        }
    }
}