1 /*
2 * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package transform;
25
26 import java.io.IOException;
27 import java.io.InputStream;
28 import java.io.StringWriter;
29
30 import javax.xml.XMLConstants;
31 import javax.xml.parsers.DocumentBuilder;
32 import javax.xml.parsers.DocumentBuilderFactory;
33 import javax.xml.parsers.ParserConfigurationException;
34 import javax.xml.transform.Transformer;
35 import javax.xml.transform.TransformerConfigurationException;
36 import javax.xml.transform.TransformerException;
37 import javax.xml.transform.TransformerFactory;
38 import javax.xml.transform.stream.StreamResult;
39 import javax.xml.transform.stream.StreamSource;
40
41 import org.testng.Assert;
42 import org.testng.annotations.Test;
43 import org.w3c.dom.Document;
44 import org.xml.sax.SAXException;
45
46 /*
47 * @summary Test XSLT shall report TransformerException for unsafe xsl when FEATURE_SECURE_PROCESSING is true.
48 */
49 public class SecureProcessingTest {
50 static boolean _isSecureMode = false;
51 static {
52 if (System.getSecurityManager() != null) {
53 _isSecureMode = true;
54 System.out.println("Security Manager is present");
55 } else {
56 System.out.println("Security Manager is NOT present");
57 }
58 }
59
60
61
62 @Test
63 public final void testSecureProcessing() {
64
65 // SECURE_PROCESSING == false
66
67 // the style sheet
68 InputStream xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl");
69 StreamSource xslSource = new StreamSource(xslStream);
70
71 // the xml source
72 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
73 StreamSource xmlSource = new StreamSource(xmlStream);
74
75 // the xml result
76 StringWriter xmlResultString = new StringWriter();
77 StreamResult xmlResultStream = new StreamResult(xmlResultString);
78
79 // the transformer
80 TransformerFactory transformerFactory = null;
81 Transformer transformer = null;
82
83 // transform with a non-secure Transformer
84 // expect success
85 String xmlResult;
86 if (!_isSecureMode) { // jaxp secure feature can not be turned off when
87 // security manager is present
88 try {
89 transformerFactory = TransformerFactory.newInstance();
90 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
91 transformer = transformerFactory.newTransformer(xslSource);
92 transformer.transform(xmlSource, xmlResultStream);
93 } catch (TransformerConfigurationException ex) {
94 ex.printStackTrace();
95 Assert.fail(ex.toString());
96 } catch (TransformerException ex) {
97 ex.printStackTrace();
98 Assert.fail(ex.toString());
99 }
100
101 // expected success
102 // and the result is ...
103 xmlResult = xmlResultString.toString();
104 System.out.println("Transformation result (SECURE_PROCESSING == false) = \"" + xmlResult + "\"");
105 }
106
107 // now do same transformation but with SECURE_PROCESSING == true
108 // expect Exception
109 boolean exceptionCaught = false;
110
111 // the style sheet
112 xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl");
113 xslSource = new StreamSource(xslStream);
114
115 // the xml source
116 xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
117 xmlSource = new StreamSource(xmlStream);
118
119 // the xml result
120 xmlResultString = new StringWriter();
121 xmlResultStream = new StreamResult(xmlResultString);
122
123 // the transformer
124 transformerFactory = null;
125 transformer = null;
126
127 // transform with a secure Transformer
128 try {
129 transformerFactory = TransformerFactory.newInstance();
130 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
131 transformer = transformerFactory.newTransformer(xslSource);
132 transformer.transform(xmlSource, xmlResultStream);
133 } catch (TransformerConfigurationException ex) {
134 ex.printStackTrace();
135 Assert.fail(ex.toString());
136 } catch (TransformerException ex) {
137 // expected failure
138 System.out.println("expected failure: " + ex.toString());
139 ex.printStackTrace(System.out);
140 exceptionCaught = true;
141 }
142
143 // unexpected success?
144 if (!exceptionCaught) {
145 // and the result is ...
146 xmlResult = xmlResultString.toString();
147 System.err.println("Transformation result (SECURE_PROCESSING == true) = \"" + xmlResult + "\"");
148 Assert.fail("SECURITY_PROCESSING == true, expected failure but got result: \"" + xmlResult + "\"");
149 }
150 }
151 }