63
64 //System Properties corresponding to ACCESS_EXTERNAL_* properties
65 public static final String SP_ACCESS_EXTERNAL_STYLESHEET = "javax.xml.accessExternalStylesheet";
66 public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
67
68
69 //all access keyword
70 public static final String ACCESS_EXTERNAL_ALL = "all";
71
72 /**
73 * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
74 */
75 public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
76 /**
77 * JDK version by which the default is to restrict external connection
78 */
79 public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
80 /**
81 * FEATURE_SECURE_PROCESSING (FSP) is false by default
82 */
83 public static final String EXTERNAL_ACCESS_DEFAULT = getExternalAccessDefault(false);
84
85 /**
86 * Determine the default value of the external access properties
87 *
88 * jaxp 1.5 does not require implementations to restrict by default
89 *
90 * For JDK8:
91 * The default value is 'file' (including jar:file); The keyword "all" grants permission
92 * to all protocols. When {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is on,
93 * the default value is an empty string indicating no access is allowed.
94 *
95 * For JDK7:
96 * The default value is 'all' granting permission to all protocols. If by default,
97 * {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} is true, it should
98 * not change the default value. However, if {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING}
99 * is set explicitly, the values of the properties shall be set to an empty string
100 * indicating no access is allowed.
101 *
102 * @param isSecureProcessing indicating if Secure Processing is set
103 * @return default value
104 */
105 public static String getExternalAccessDefault(boolean isSecureProcessing) {
106 String defaultValue = "all";
107 if (isJDKandAbove(RESTRICT_BY_DEFAULT_JDK_VERSION)) {
108 defaultValue = "file";
109 if (isSecureProcessing) {
110 defaultValue = EXTERNAL_ACCESS_DEFAULT_FSP;
111 }
112 }
113 return defaultValue;
114 }
115
116 /*
117 * Check the version of the current JDK against that specified in the
118 * parameter
119 *
120 * There is a proposal to change the java version string to:
121 * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
122 * This method would work with both the current format and that proposed
123 *
124 * @param compareTo a JDK version to be compared to
125 * @return true if the current version is the same or above that represented
126 * by the parameter
127 */
128 public static boolean isJDKandAbove(int compareTo) {
129 String javaVersion = SecuritySupport.getSystemProperty("java.version");
130 String versions[] = javaVersion.split("\\.", 3);
131 if (Integer.parseInt(versions[0]) >= compareTo ||
132 Integer.parseInt(versions[1]) >= compareTo) {
133 return true;
134 }
135 return false;
136 }
137
138 } // class Constants
|
63
64 //System Properties corresponding to ACCESS_EXTERNAL_* properties
65 public static final String SP_ACCESS_EXTERNAL_STYLESHEET = "javax.xml.accessExternalStylesheet";
66 public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
67
68
69 //all access keyword
70 public static final String ACCESS_EXTERNAL_ALL = "all";
71
72 /**
73 * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
74 */
75 public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
76 /**
77 * JDK version by which the default is to restrict external connection
78 */
79 public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
80 /**
81 * FEATURE_SECURE_PROCESSING (FSP) is false by default
82 */
83 public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
84
85 } // class Constants
|