1 /* 2 * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 package transform; 25 26 import java.io.IOException; 27 import java.io.InputStream; 28 import java.io.StringWriter; 29 30 import javax.xml.XMLConstants; 31 import javax.xml.parsers.DocumentBuilder; 32 import javax.xml.parsers.DocumentBuilderFactory; 33 import javax.xml.parsers.ParserConfigurationException; 34 import javax.xml.transform.Transformer; 35 import javax.xml.transform.TransformerConfigurationException; 36 import javax.xml.transform.TransformerException; 37 import javax.xml.transform.TransformerFactory; 38 import javax.xml.transform.stream.StreamResult; 39 import javax.xml.transform.stream.StreamSource; 40 41 import org.testng.Assert; 42 import org.testng.annotations.Test; 43 import org.w3c.dom.Document; 44 import org.xml.sax.SAXException; 45 46 /* 47 * @summary Test XSLT shall report TransformerException for unsafe xsl when FEATURE_SECURE_PROCESSING is true. 48 */ 49 public class SecureProcessingTest { 50 static boolean _isSecureMode = false; 51 static { 52 if (System.getSecurityManager() != null) { 53 _isSecureMode = true; 54 System.out.println("Security Manager is present"); 55 } else { 56 System.out.println("Security Manager is NOT present"); 57 } 58 } 59 60 61 62 @Test 63 public final void testSecureProcessing() { 64 65 // SECURE_PROCESSING == false 66 67 // the style sheet 68 InputStream xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl"); 69 StreamSource xslSource = new StreamSource(xslStream); 70 71 // the xml source 72 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 73 StreamSource xmlSource = new StreamSource(xmlStream); 74 75 // the xml result 76 StringWriter xmlResultString = new StringWriter(); 77 StreamResult xmlResultStream = new StreamResult(xmlResultString); 78 79 // the transformer 80 TransformerFactory transformerFactory = null; 81 Transformer transformer = null; 82 83 // transform with a non-secure Transformer 84 // expect success 85 String xmlResult; 86 if (!_isSecureMode) { // jaxp secure feature can not be turned off when 87 // security manager is present 88 try { 89 transformerFactory = TransformerFactory.newInstance(); 90 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); 91 transformer = transformerFactory.newTransformer(xslSource); 92 transformer.transform(xmlSource, xmlResultStream); 93 } catch (TransformerConfigurationException ex) { 94 ex.printStackTrace(); 95 Assert.fail(ex.toString()); 96 } catch (TransformerException ex) { 97 ex.printStackTrace(); 98 Assert.fail(ex.toString()); 99 } 100 101 // expected success 102 // and the result is ... 103 xmlResult = xmlResultString.toString(); 104 System.out.println("Transformation result (SECURE_PROCESSING == false) = \"" + xmlResult + "\""); 105 } 106 107 // now do same transformation but with SECURE_PROCESSING == true 108 // expect Exception 109 boolean exceptionCaught = false; 110 111 // the style sheet 112 xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl"); 113 xslSource = new StreamSource(xslStream); 114 115 // the xml source 116 xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 117 xmlSource = new StreamSource(xmlStream); 118 119 // the xml result 120 xmlResultString = new StringWriter(); 121 xmlResultStream = new StreamResult(xmlResultString); 122 123 // the transformer 124 transformerFactory = null; 125 transformer = null; 126 127 // transform with a secure Transformer 128 try { 129 transformerFactory = TransformerFactory.newInstance(); 130 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 131 transformer = transformerFactory.newTransformer(xslSource); 132 transformer.transform(xmlSource, xmlResultStream); 133 } catch (TransformerConfigurationException ex) { 134 ex.printStackTrace(); 135 Assert.fail(ex.toString()); 136 } catch (TransformerException ex) { 137 // expected failure 138 System.out.println("expected failure: " + ex.toString()); 139 ex.printStackTrace(System.out); 140 exceptionCaught = true; 141 } 142 143 // unexpected success? 144 if (!exceptionCaught) { 145 // and the result is ... 146 xmlResult = xmlResultString.toString(); 147 System.err.println("Transformation result (SECURE_PROCESSING == true) = \"" + xmlResult + "\""); 148 Assert.fail("SECURITY_PROCESSING == true, expected failure but got result: \"" + xmlResult + "\""); 149 } 150 } 151 }