src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java

@@ -35,10 +35,13 @@
 import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.parsers.DOMParser;
 import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLDocumentSource;

@@ -95,16 +98,21 @@
 
     /** Property identifier: security manager. */
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
+    /** Property identifier: Security property manager. */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
+
     /** property identifier: access external dtd. */
     public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
 
     /** Property identifier: access to external schema */
     public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
+
     private final DOMParser domParser;
     private final Schema grammar;
 
     private final XMLComponent fSchemaValidator;
     private final XMLComponentManager fSchemaValidatorComponentManager;

@@ -115,10 +123,12 @@
     private final ErrorHandler fInitErrorHandler;
 
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
     DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
         throws SAXNotRecognizedException, SAXNotSupportedException {
         this(dbf, dbfAttrs, features, false);
     }
 

@@ -158,27 +168,31 @@
         // does not support XInclude.
         if (dbf.isXIncludeAware()) {
             domParser.setFeature(XINCLUDE_FEATURE, true);
         }
 
+        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+        domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+
         // If the secure processing feature is on set a security manager.
         if (secureProcessing) {
             domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
 
             /**
-             * By default, secure processing is set, no external access is allowed.
-             * However, we need to check if it is actively set on the factory since we
-             * allow the use of the System Property or jaxp.properties to override
-             * the default value
+             * If secure processing is explicitly set on the factory, the
+             * access properties will be set unless the corresponding 
+             * System Properties or jaxp.properties are set
              */
             if (features != null) {
                 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
                 if (temp != null) {
                     boolean value = ((Boolean) temp).booleanValue();
-                    if (value) {
-                        domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
-                        domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                    if (value && Constants.IS_JDK8_OR_ABOVE) {
+                        fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD, 
+                                State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                        fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_SCHEMA, 
+                                State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                     }
                 }
             }
         }
 

@@ -218,11 +232,11 @@
             fSchemaValidatorComponentManager = null;
             fSchemaValidator = null;
             setFeatures(features);
         }
 
-        // Set attributes
+        //setAttribute override those that may be set by other means
         setDocumentBuilderFactoryAttributes(dbfAttrs);
 
         // Initial EntityResolver
         fInitEntityResolver = domParser.getEntityResolver();
     }

@@ -287,14 +301,20 @@
                                 "jaxp-order-not-supported",
                                 new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE}));
                                                 }
                                         }
                 } else {
+                    int index = fSecurityPropertyMgr.getIndex(name);
+                    if (index > -1) {
+                        fSecurityPropertyMgr.setValue(index, 
+                                XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);                    
+                    } else {
                     // Let Xerces code handle the property
                     domParser.setProperty(name, val);
                                 }
                         }
+             }
                 }
         }
 
     /**
      * Non-preferred: use the getDOMImplementation() method instead of this