Examples with XMLSecurityInputProcessor org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor used on opensource projects

Example 1 with XMLSecurityInputProcessor

use of org.apache.xml.security.stax.impl.processor.input.XMLSecurityInputProcessor in project santuario-java by apache.

the class InboundXMLSec method processInMessage.

/**
 * Warning:
 * configure your xmlStreamReader correctly. Otherwise you can create a security hole.
 * At minimum configure the following properties:
 * xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
 * xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
 * xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, false);
 * xmlInputFactory.setProperty(WstxInputProperties.P_MIN_TEXT_SEGMENT, new Integer(8192));
 * <p></p>
 * This method is the entry point for the incoming security-engine.
 * Hand over the original XMLStreamReader and use the returned one for further processing
 *
 * @param xmlStreamReader The original XMLStreamReader
 * @param requestSecurityEvents A List of requested SecurityEvents
 * @param securityEventListener A SecurityEventListener to receive security-relevant events.
 * @return A new XMLStreamReader which does transparently the security processing.
 * @throws XMLStreamException  thrown when a streaming error occurs
 */
public XMLStreamReader processInMessage(XMLStreamReader xmlStreamReader, List<SecurityEvent> requestSecurityEvents, SecurityEventListener securityEventListener) throws XMLStreamException {
    if (requestSecurityEvents == null) {
        requestSecurityEvents = Collections.emptyList();
    }
    final InboundSecurityContextImpl inboundSecurityContext = new InboundSecurityContextImpl();
    inboundSecurityContext.putList(SecurityEvent.class, requestSecurityEvents);
    inboundSecurityContext.addSecurityEventListener(securityEventListener);
    inboundSecurityContext.put(XMLSecurityConstants.XMLINPUTFACTORY, xmlInputFactory);
    DocumentContextImpl documentContext = new DocumentContextImpl();
    documentContext.setEncoding(xmlStreamReader.getEncoding() != null ? xmlStreamReader.getEncoding() : java.nio.charset.StandardCharsets.UTF_8.name());
    // woodstox 3.2.9 returns null when used with a DOMSource
    Location location = xmlStreamReader.getLocation();
    if (location != null) {
        documentContext.setBaseURI(location.getSystemId());
    }
    InputProcessorChainImpl inputProcessorChain = new InputProcessorChainImpl(inboundSecurityContext, documentContext);
    inputProcessorChain.addProcessor(new XMLEventReaderInputProcessor(securityProperties, xmlStreamReader));
    List<InputProcessor> additionalInputProcessors = securityProperties.getInputProcessorList();
    if (!additionalInputProcessors.isEmpty()) {
        Iterator<InputProcessor> inputProcessorIterator = additionalInputProcessors.iterator();
        while (inputProcessorIterator.hasNext()) {
            InputProcessor inputProcessor = inputProcessorIterator.next();
            inputProcessorChain.addProcessor(inputProcessor);
        }
    }
    inputProcessorChain.addProcessor(new XMLSecurityInputProcessor(securityProperties));
    if (LOG.isTraceEnabled()) {
        LogInputProcessor LOGInputProcessor = new LogInputProcessor(securityProperties);
        LOGInputProcessor.addAfterProcessor(XMLSecurityInputProcessor.class.getName());
        inputProcessorChain.addProcessor(LOGInputProcessor);
    }
    return new XMLSecurityStreamReader(inputProcessorChain, securityProperties);
}