Monday, August 11, 2014

JAXP Properties for secure access

JAXP is the framework for XML processing in Java. Java 8 comes bundles with JAXP 1.5. JAXP 1.5 introduces three new properties to provide secure access to XML. The new properties are:

  • ACCESS_EXTERNAL_DTD
  • ACCESS_EXTERNAL_SCHEMA
  • ACCESS_EXTERNAL_STYLESHEET
The list of protocol can be specified as values to the above properties. The possible list of examples for different kind of values
  • all - Allow all protocol
  • Providing no value so that the above properties has empty string will restrict access to all protocols
  • file - Provide access to file protocol only
  • file,http - Comma separated list of multiple protocols to provide access.
The values are implementation specific also. The recommendation is that if  FEATURE_SECURE_PROCESSING is enabled then restrict the connection to external world.

How to set the value of above properties
  • The above properties are exposed as system properties also. So they can be passes as flag to jvm. For example to allow all connections for Schemas to outside world run java as 
                               java  -Djavax.xml.accessExternalSchema=all
         If you are in maven environment you can define it as part of MAVEN_OPTS. In windows add the following to MAVEN_OPTS
                             -Djavax.xml.accessExternalSchema=all
  • Create a jaxp.properties file in $JAVA_HOME/jre/lib and enter the property there
                                 javax.xml.accessExternalSchema=all
  • You can set the property when your application is initialized by calling 
                      System.setProperty("javax.xml.accessExternalSchema", "all");
  • You can set the attribute at XML parsers factory level by passing this as an attribute.
Error Conditions

If you have migrated to Java 8 and your application is accessing definitions outside then you might see the following as an exception, which is an example of schema access


access is not allowed due to restriction set by the accessExternalSchema property


To solve that set the appropriate value to the properties via one of the way mentioned above.

Using Maven Jaxb plugin

You need plugin version >= 0.9.0. In the plugin by default the XML security is disabled so the access will happen. The XML security can be enabled by setting disableXmlSecurity to false However if you enable XML security, then you need to specify accessExternalSchema as follows

<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
<artifactId>maven-jaxb2-plugin</artifactId>
<version>0.9.0</version>
<executions>
<execution>
<goals>
<goal>generate</goal>
</goals>
</execution>
</executions>
<configuration>                                                           ....    
<accessExternalSchema>all</accessExternalSchema>                                                   
        ...                                                                                
</configuration>
</plugin>



2 comments: