1 /* 2 * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 package xpath; 25 26 import java.io.IOException; 27 import java.io.InputStream; 28 import java.util.Iterator; 29 import java.util.List; 30 31 import javax.xml.XMLConstants; 32 import javax.xml.namespace.NamespaceContext; 33 import javax.xml.namespace.QName; 34 import javax.xml.parsers.DocumentBuilder; 35 import javax.xml.parsers.DocumentBuilderFactory; 36 import javax.xml.parsers.ParserConfigurationException; 37 import javax.xml.xpath.XPath; 38 import javax.xml.xpath.XPathExpressionException; 39 import javax.xml.xpath.XPathFactory; 40 import javax.xml.xpath.XPathFactoryConfigurationException; 41 import javax.xml.xpath.XPathFunction; 42 import javax.xml.xpath.XPathFunctionException; 43 import javax.xml.xpath.XPathFunctionResolver; 44 45 import org.testng.Assert; 46 import org.testng.annotations.Test; 47 import org.w3c.dom.Document; 48 import org.xml.sax.SAXException; 49 50 /* 51 * @summary Test when FEATURE_SECURE_PROCESSING is true, calling an external function will cause XPathFunctionException. 52 */ 53 public class SecureProcessingTest { 54 static boolean _isSecureMode = false; 55 static { 56 if (System.getSecurityManager() != null) { 57 _isSecureMode = true; 58 System.out.println("Security Manager is present"); 59 } else { 60 System.out.println("Security Manager is NOT present"); 61 } 62 } 63 64 @Test 65 public final void testSecureProcessing() { 66 67 final String XPATH_EXPRESSION = "ext:helloWorld()"; 68 69 // the xml source 70 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 71 72 DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); 73 DocumentBuilder documentBuilder = null; 74 Document document = null; 75 76 try { 77 documentBuilder = documentBuilderFactory.newDocumentBuilder(); 78 document = documentBuilder.parse(xmlStream); 79 } catch (ParserConfigurationException parserConfigurationException) { 80 parserConfigurationException.printStackTrace(); 81 Assert.fail(parserConfigurationException.toString()); 82 } catch (SAXException saxException) { 83 saxException.printStackTrace(); 84 Assert.fail(saxException.toString()); 85 } catch (IOException ioException) { 86 ioException.printStackTrace(); 87 Assert.fail(ioException.toString()); 88 } 89 90 // the XPath 91 XPathFactory xPathFactory = null; 92 XPath xPath = null; 93 String xPathResult = null; 94 95 // SECURE_PROCESSING == false 96 // evaluate an expression with a user defined function with a non-secure 97 // XPath 98 // expect success 99 if (!_isSecureMode) { // jaxp secure feature can not be turned off when 100 // security manager is present 101 try { 102 xPathFactory = xPathFactory.newInstance(); 103 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver()); 104 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); 105 106 xPath = xPathFactory.newXPath(); 107 xPath.setNamespaceContext(new MyNamespaceContext()); 108 109 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document); 110 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) { 111 xPathFactoryConfigurationException.printStackTrace(); 112 Assert.fail(xPathFactoryConfigurationException.toString()); 113 } catch (XPathExpressionException xPathExpressionException) { 114 xPathExpressionException.printStackTrace(); 115 Assert.fail(xPathExpressionException.toString()); 116 } 117 118 // expected success 119 System.out.println("XPath result (SECURE_PROCESSING == false) = \"" + xPathResult + "\""); 120 } 121 // now try with SECURE_PROCESSING == true 122 // evaluate an expression with a user defined function with a secure 123 // XPath 124 // expect Exception 125 boolean securityException = false; 126 try { 127 xPathFactory = xPathFactory.newInstance(); 128 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver()); 129 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 130 131 xPath = xPathFactory.newXPath(); 132 xPath.setNamespaceContext(new MyNamespaceContext()); 133 134 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document); 135 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) { 136 xPathFactoryConfigurationException.printStackTrace(); 137 Assert.fail(xPathFactoryConfigurationException.toString()); 138 } catch (XPathFunctionException xPathFunctionException) { 139 // expected security exception 140 securityException = true; 141 xPathFunctionException.printStackTrace(System.out); 142 } catch (XPathExpressionException xPathExpressionException) { 143 xPathExpressionException.printStackTrace(); 144 Assert.fail(xPathExpressionException.toString()); 145 } 146 147 // expected Exception 148 if (!securityException) { 149 Assert.fail("XPath result (SECURE_PROCESSING == true) = \"" + xPathResult + "\""); 150 } 151 } 152 153 public class MyXPathFunctionResolver implements XPathFunctionResolver { 154 155 public XPathFunction resolveFunction(QName functionName, int arity) { 156 157 // not a real ewsolver, always return a default XPathFunction 158 return new MyXPathFunction(); 159 } 160 } 161 162 public class MyXPathFunction implements XPathFunction { 163 164 public Object evaluate(List list) throws XPathFunctionException { 165 166 return "Hello World"; 167 } 168 } 169 170 public class MyNamespaceContext implements NamespaceContext { 171 172 public String getNamespaceURI(String prefix) { 173 if (prefix == null) { 174 throw new IllegalArgumentException("The prefix cannot be null."); 175 } 176 177 if (prefix.equals("ext")) { 178 return "http://ext.com"; 179 } else { 180 return null; 181 } 182 } 183 184 public String getPrefix(String namespace) { 185 186 if (namespace == null) { 187 throw new IllegalArgumentException("The namespace uri cannot be null."); 188 } 189 190 if (namespace.equals("http://ext.com")) { 191 return "ext"; 192 } else { 193 return null; 194 } 195 } 196 197 public Iterator getPrefixes(String namespace) { 198 return null; 199 } 200 } 201 }