JAXP is the framework for XML processing in Java. Java 8 comes bundles with JAXP 1.5. JAXP 1.5 introduces three new properties to provide secure access to XML. The new properties are:
- ACCESS_EXTERNAL_DTD
- ACCESS_EXTERNAL_SCHEMA
- ACCESS_EXTERNAL_STYLESHEET
The list of protocol can be specified as values to the above properties. The possible list of examples for different kind of values
- all - Allow all protocol
- Providing no value so that the above properties has empty string will restrict access to all protocols
- file - Provide access to file protocol only
- file,http - Comma separated list of multiple protocols to provide access.
The values are implementation specific also. The recommendation is that if FEATURE_SECURE_PROCESSING is enabled then restrict the connection to external world.
How to set the value of above properties
- The above properties are exposed as system properties also. So they can be passes as flag to jvm. For example to allow all connections for Schemas to outside world run java as
If you are in maven environment you can define it as part of MAVEN_OPTS. In windows add the following to MAVEN_OPTS
-Djavax.xml.accessExternalSchema=all
- Create a jaxp.properties file in $JAVA_HOME/jre/lib and enter the property there
- You can set the property when your application is initialized by calling
- You can set the attribute at XML parsers factory level by passing this as an attribute.
Error Conditions
If you have migrated to Java 8 and your application is accessing definitions outside then you might see the following as an exception, which is an example of schema access
access is not allowed due to restriction set by the accessExternalSchema property
To solve that set the appropriate value to the properties via one of the way mentioned above.
Using Maven Jaxb plugin
You need plugin version >= 0.9.0. In the plugin by default the XML security is disabled so the access will happen. The XML security can be enabled by setting
<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
<artifactId>maven-jaxb2-plugin</artifactId>
<version>0.9.0</version>
<executions>
<execution>
<goals>
<goal>generate</goal>
</goals>
</execution>
</executions>
<configuration> ....
<accessExternalSchema>all</accessExternalSchema>
...
</configuration>
</plugin>
Using Maven Jaxb plugin
You need plugin version >= 0.9.0. In the plugin by default the XML security is disabled so the access will happen. The XML security can be enabled by setting
disableXmlSecurity to false However if you enable XML security, then you need to specify accessExternalSchema as follows<plugin>
<groupId>org.jvnet.jaxb2.maven2</groupId>
<artifactId>maven-jaxb2-plugin</artifactId>
<version>0.9.0</version>
<executions>
<execution>
<goals>
<goal>generate</goal>
</goals>
</execution>
</executions>
<configuration> ....
<accessExternalSchema>all</accessExternalSchema>
...
</configuration>
</plugin>
great
ReplyDeleteThank you. Very helpful.
ReplyDelete