SchemaFactory features not recognized

[Johann]

Hello,

We use Author Web 26.0.

In our framework, we have defined an operation based on an XML configuration file. This configuration file is validated via an XSD schema.

So we have these lines in our code:

Code: Select all

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Validator validator = schema.newValidator();

SchemaFactory is implemented in the oxygen-patched-xerces library.

In order to meet security requirements, we want to add these properties so as not to be vulnerable to XXE attacks:

Code: Select all

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

However, these properties are not recognized, as oxygen-patched-xerces seems to embed jaxp 1.4, which does not yet include these properties.
These properties have been introduced in jaxp 1.5

Is there any particular reason why oxygen-patched-xerces still depends on jaxp 1.4?
Is there a solution to my problem? If I pull in another version of xerces to meet my needs, won't that conflict with the Oxygen libs?

Thank you,

Johann

[cristi_talau]

Hello,

Web Author contains the latest Xercess - 2.12.2 . The JAXP that we use comes from the JDK and, as of Java 8, the embedded version is JAXP 1.5.
Can you share the error that you get and how you reproduce it?

Best,
Cristian

[Johann]

Hello,

This is the error I obtain:

java.lang.RuntimeException: org.xml.sax.SAXNotRecognizedException: La propriété 'http://javax.xml.XMLConstants/property/ ... xternalDTD' n'est pas reconnue.

To reproduce it, put this code in insertFragment method inside a DocumentFilter class and add a fragment in the Author view:

Code: Select all

SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
        try {
            factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
            factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
        } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
            throw new RuntimeException(e);
        }

Regards,

Johann

[Radu]

Hi Johann,

I see that indeed the Javadoc for "javax.xml.validation.SchemaFactory.setProperty(String, Object)" says:

Code: Select all

     * <p>
     * All implementations that implement JAXP 1.5 or newer are required to
     * support the {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_DTD} and
     * {@link javax.xml.XMLConstants#ACCESS_EXTERNAL_SCHEMA} properties.
     *

but such a property does not seem to be taken into account at least in Xerces 2.12.1, you can look at the Java code for "org.apache.xerces.jaxp.validation.BaseSchemaFactory.setProperty(String, Object)".
Also it does not seem to be taken into account in the Xerces bundled with Java, you can look at the source code for "com.sun.org.apache.xerces.internal.jaxp.validation.XMLSchemaFactory.setProperty(String, Object)".
Maybe you should use this feature instead:

Code: Select all

 factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);

Other than that maybe your code could just parse the xml config file without any validation as you are probably editing the XML configuration file using Oxygen and you can validate it in Oxygen with an external schema.

Regards,
Radu