1 /* 2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package com.sun.xml.internal.ws.util.xml; 27 28 import com.sun.istack.internal.Nullable; 29 import com.sun.xml.internal.ws.server.ServerRtException; 30 import com.sun.xml.internal.ws.util.ByteArrayBuffer; 31 import java.io.IOException; 32 import java.io.InputStream; 33 import java.io.OutputStreamWriter; 34 import java.io.Writer; 35 import java.lang.reflect.Method; 36 import java.net.URI; 37 import java.net.URL; 38 import java.security.AccessController; 39 import java.security.PrivilegedAction; 40 import java.util.ArrayList; 41 import java.util.Collections; 42 import java.util.Enumeration; 43 import java.util.Iterator; 44 import java.util.List; 45 import java.util.StringTokenizer; 46 import java.util.logging.Level; 47 import java.util.logging.Logger; 48 import java.util.stream.Collectors; 49 import javax.xml.XMLConstants; 50 import javax.xml.catalog.CatalogFeatures; 51 import javax.xml.catalog.CatalogFeatures.Feature; 52 import javax.xml.catalog.CatalogManager; 53 import javax.xml.namespace.QName; 54 import javax.xml.parsers.DocumentBuilderFactory; 55 import javax.xml.parsers.ParserConfigurationException; 56 import javax.xml.parsers.SAXParserFactory; 57 import javax.xml.stream.XMLInputFactory; 58 import javax.xml.transform.Result; 59 import javax.xml.transform.Source; 60 import javax.xml.transform.Transformer; 61 import javax.xml.transform.TransformerConfigurationException; 62 import javax.xml.transform.TransformerException; 63 import javax.xml.transform.TransformerFactory; 64 import javax.xml.transform.sax.SAXTransformerFactory; 65 import javax.xml.transform.sax.TransformerHandler; 66 import javax.xml.transform.stream.StreamSource; 67 import javax.xml.validation.SchemaFactory; 68 import javax.xml.ws.WebServiceException; 69 import javax.xml.xpath.XPathFactory; 70 import javax.xml.xpath.XPathFactoryConfigurationException; 71 import org.w3c.dom.Attr; 72 import org.w3c.dom.Element; 73 import org.w3c.dom.EntityReference; 74 import org.w3c.dom.Node; 75 import org.w3c.dom.NodeList; 76 import org.w3c.dom.Text; 77 import org.xml.sax.EntityResolver; 78 import org.xml.sax.ErrorHandler; 79 import org.xml.sax.InputSource; 80 import org.xml.sax.SAXException; 81 import org.xml.sax.SAXParseException; 82 import org.xml.sax.XMLReader; 83 84 /** 85 * @author WS Development Team 86 */ 87 public class XmlUtil { 88 89 // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used 90 private static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; 91 92 private final static String LEXICAL_HANDLER_PROPERTY = 93 "http://xml.org/sax/properties/lexical-handler"; 94 95 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); 96 97 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; 98 99 private static boolean XML_SECURITY_DISABLED = AccessController.doPrivileged( 100 new PrivilegedAction<Boolean>() { 101 @Override 102 public Boolean run() { 103 return Boolean.getBoolean(DISABLE_XML_SECURITY); 104 } 105 } 106 ); 107 108 public static String getPrefix(String s) { 109 int i = s.indexOf(':'); 110 if (i == -1) 111 return null; 112 return s.substring(0, i); 113 } 114 115 public static String getLocalPart(String s) { 116 int i = s.indexOf(':'); 117 if (i == -1) 118 return s; 119 return s.substring(i + 1); 120 } 121 122 123 124 public static String getAttributeOrNull(Element e, String name) { 125 Attr a = e.getAttributeNode(name); 126 if (a == null) 127 return null; 128 return a.getValue(); 129 } 130 131 public static String getAttributeNSOrNull( 132 Element e, 133 String name, 134 String nsURI) { 135 Attr a = e.getAttributeNodeNS(nsURI, name); 136 if (a == null) 137 return null; 138 return a.getValue(); 139 } 140 141 public static String getAttributeNSOrNull( 142 Element e, 143 QName name) { 144 Attr a = e.getAttributeNodeNS(name.getNamespaceURI(), name.getLocalPart()); 145 if (a == null) 146 return null; 147 return a.getValue(); 148 } 149 150 /* public static boolean matchesTagNS(Element e, String tag, String nsURI) { 151 try { 152 return e.getLocalName().equals(tag) 153 && e.getNamespaceURI().equals(nsURI); 154 } catch (NullPointerException npe) { 155 156 // localname not null since parsing would fail before here 157 throw new WSDLParseException( 158 "null.namespace.found", 159 e.getLocalName()); 160 } 161 } 162 163 public static boolean matchesTagNS( 164 Element e, 165 javax.xml.namespace.QName name) { 166 try { 167 return e.getLocalName().equals(name.getLocalPart()) 168 && e.getNamespaceURI().equals(name.getNamespaceURI()); 169 } catch (NullPointerException npe) { 170 171 // localname not null since parsing would fail before here 172 throw new WSDLParseException( 173 "null.namespace.found", 174 e.getLocalName()); 175 } 176 }*/ 177 178 public static Iterator getAllChildren(Element element) { 179 return new NodeListIterator(element.getChildNodes()); 180 } 181 182 public static Iterator getAllAttributes(Element element) { 183 return new NamedNodeMapIterator(element.getAttributes()); 184 } 185 186 public static List<String> parseTokenList(String tokenList) { 187 List<String> result = new ArrayList<String>(); 188 StringTokenizer tokenizer = new StringTokenizer(tokenList, " "); 189 while (tokenizer.hasMoreTokens()) { 190 result.add(tokenizer.nextToken()); 191 } 192 return result; 193 } 194 195 public static String getTextForNode(Node node) { 196 StringBuilder sb = new StringBuilder(); 197 198 NodeList children = node.getChildNodes(); 199 if (children.getLength() == 0) 200 return null; 201 202 for (int i = 0; i < children.getLength(); ++i) { 203 Node n = children.item(i); 204 205 if (n instanceof Text) 206 sb.append(n.getNodeValue()); 207 else if (n instanceof EntityReference) { 208 String s = getTextForNode(n); 209 if (s == null) 210 return null; 211 else 212 sb.append(s); 213 } else 214 return null; 215 } 216 217 return sb.toString(); 218 } 219 220 public static InputStream getUTF8Stream(String s) { 221 try { 222 ByteArrayBuffer bab = new ByteArrayBuffer(); 223 Writer w = new OutputStreamWriter(bab, "utf-8"); 224 w.write(s); 225 w.close(); 226 return bab.newInputStream(); 227 } catch (IOException e) { 228 throw new RuntimeException("should not happen"); 229 } 230 } 231 232 static final ContextClassloaderLocal<TransformerFactory> transformerFactory = new ContextClassloaderLocal<TransformerFactory>() { 233 @Override 234 protected TransformerFactory initialValue() throws Exception { 235 return TransformerFactory.newInstance(); 236 } 237 }; 238 239 static final ContextClassloaderLocal<SAXParserFactory> saxParserFactory = new ContextClassloaderLocal<SAXParserFactory>() { 240 @Override 241 protected SAXParserFactory initialValue() throws Exception { 242 SAXParserFactory factory = newSAXParserFactory(true); 243 factory.setNamespaceAware(true); 244 return factory; 245 } 246 }; 247 248 /** 249 * Creates a new identity transformer. 250 */ 251 public static Transformer newTransformer() { 252 try { 253 return transformerFactory.get().newTransformer(); 254 } catch (TransformerConfigurationException tex) { 255 throw new IllegalStateException("Unable to create a JAXP transformer"); 256 } 257 } 258 259 /** 260 * Performs identity transformation. 261 */ 262 public static <T extends Result> 263 T identityTransform(Source src, T result) throws TransformerException, SAXException, ParserConfigurationException, IOException { 264 if (src instanceof StreamSource) { 265 // work around a bug in JAXP in JDK6u4 and earlier where the namespace processing 266 // is not turned on by default 267 StreamSource ssrc = (StreamSource) src; 268 TransformerHandler th = ((SAXTransformerFactory) transformerFactory.get()).newTransformerHandler(); 269 th.setResult(result); 270 XMLReader reader = saxParserFactory.get().newSAXParser().getXMLReader(); 271 reader.setContentHandler(th); 272 reader.setProperty(LEXICAL_HANDLER_PROPERTY, th); 273 reader.parse(toInputSource(ssrc)); 274 } else { 275 newTransformer().transform(src, result); 276 } 277 return result; 278 } 279 280 private static InputSource toInputSource(StreamSource src) { 281 InputSource is = new InputSource(); 282 is.setByteStream(src.getInputStream()); 283 is.setCharacterStream(src.getReader()); 284 is.setPublicId(src.getPublicId()); 285 is.setSystemId(src.getSystemId()); 286 return is; 287 } 288 289 /* 290 * Gets an EntityResolver using XML catalog 291 */ 292 public static EntityResolver createEntityResolver(@Nullable URL catalogUrl) { 293 ArrayList<URL> urlsArray = new ArrayList<URL>(); 294 EntityResolver er; 295 if (catalogUrl != null) { 296 urlsArray.add(catalogUrl); 297 } 298 try { 299 er = createCatalogResolver(urlsArray); 300 } catch (Exception e) { 301 throw new ServerRtException("server.rt.err",e); 302 } 303 return er; 304 } 305 306 /** 307 * Gets a default EntityResolver for catalog at META-INF/jaxws-catalog.xml 308 */ 309 public static EntityResolver createDefaultCatalogResolver() { 310 EntityResolver er; 311 try { 312 /** 313 * Gets a URLs for catalog defined at META-INF/jaxws-catalog.xml 314 */ 315 ClassLoader cl = Thread.currentThread().getContextClassLoader(); 316 Enumeration<URL> catalogEnum; 317 if (cl == null) { 318 catalogEnum = ClassLoader.getSystemResources("META-INF/jax-ws-catalog.xml"); 319 } else { 320 catalogEnum = cl.getResources("META-INF/jax-ws-catalog.xml"); 321 } 322 er = createCatalogResolver(Collections.list(catalogEnum)); 323 } catch (Exception e) { 324 throw new WebServiceException(e); 325 } 326 327 return er; 328 } 329 330 /** 331 * Instantiate catalog resolver using new catalog API (javax.xml.catalog.*) 332 * added in JDK9. Usage of new API removes dependency on internal API 333 * (com.sun.org.apache.xml.internal) for modular runtime. 334 */ 335 private static EntityResolver createCatalogResolver(ArrayList<URL> urls) throws Exception { 336 // Prepare array of catalog URIs 337 URI[] uris = urls.stream() 338 .map(u -> URI.create(u.toExternalForm())) 339 .toArray(URI[]::new); 340 341 //Create CatalogResolver with new JDK9+ API 342 return (EntityResolver) CatalogManager.catalogResolver(catalogFeatures, uris); 343 } 344 345 // Cache CatalogFeatures instance for future usages. 346 // Resolve feature is set to "continue" value for backward compatibility. 347 private static CatalogFeatures catalogFeatures = CatalogFeatures.builder() 348 .with(Feature.RESOLVE, "continue") 349 .build(); 350 351 /** 352 * {@link ErrorHandler} that always treat the error as fatal. 353 */ 354 public static final ErrorHandler DRACONIAN_ERROR_HANDLER = new ErrorHandler() { 355 @Override 356 public void warning(SAXParseException exception) { 357 } 358 359 @Override 360 public void error(SAXParseException exception) throws SAXException { 361 throw exception; 362 } 363 364 @Override 365 public void fatalError(SAXParseException exception) throws SAXException { 366 throw exception; 367 } 368 }; 369 370 public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { 371 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 372 try { 373 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); 374 } catch (ParserConfigurationException e) { 375 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 376 } 377 return factory; 378 } 379 380 public static TransformerFactory newTransformerFactory(boolean disableSecurity) { 381 TransformerFactory factory = TransformerFactory.newInstance(); 382 try { 383 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); 384 } catch (TransformerConfigurationException e) { 385 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 386 } 387 return factory; 388 } 389 390 public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { 391 SAXParserFactory factory = SAXParserFactory.newInstance(); 392 try { 393 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); 394 } catch (Exception e) { 395 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 396 } 397 return factory; 398 } 399 400 public static XPathFactory newXPathFactory(boolean disableSecurity) { 401 XPathFactory factory = XPathFactory.newInstance(); 402 try { 403 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); 404 } catch (XPathFactoryConfigurationException e) { 405 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 406 } 407 return factory; 408 } 409 410 public static XMLInputFactory newXMLInputFactory(boolean disableSecurity) { 411 XMLInputFactory factory = XMLInputFactory.newInstance(); 412 if (xmlSecurityDisabled(disableSecurity)) { 413 // TODO-Miran: are those apppropriate defaults? 414 factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); 415 factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); 416 } 417 return factory; 418 } 419 420 private static boolean xmlSecurityDisabled(boolean runtimeDisabled) { 421 return XML_SECURITY_DISABLED || runtimeDisabled; 422 } 423 424 public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecurity) { 425 426 // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied 427 if (xmlSecurityDisabled(disableSecurity)) { 428 if (LOGGER.isLoggable(Level.FINE)) { 429 LOGGER.log(Level.FINE, "Xml Security disabled, no JAXP xsd external access configuration necessary."); 430 } 431 return sf; 432 } 433 434 if (System.getProperty("javax.xml.accessExternalSchema") != null) { 435 if (LOGGER.isLoggable(Level.FINE)) { 436 LOGGER.log(Level.FINE, "Detected explicitly JAXP configuration, no JAXP xsd external access configuration necessary."); 437 } 438 return sf; 439 } 440 441 try { 442 sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value); 443 if (LOGGER.isLoggable(Level.FINE)) { 444 LOGGER.log(Level.FINE, "Property \"{0}\" is supported and has been successfully set by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA}); 445 } 446 } catch (SAXException ignored) { 447 // nothing to do; support depends on version JDK or SAX implementation 448 if (LOGGER.isLoggable(Level.CONFIG)) { 449 LOGGER.log(Level.CONFIG, "Property \"{0}\" is not supported by used JAXP implementation.", new Object[]{ACCESS_EXTERNAL_SCHEMA}); 450 } 451 } 452 return sf; 453 } 454 455 }