1 /*
2 * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package transform;
25
26 import java.io.InputStream;
27 import java.io.StringWriter;
28
29 import javax.xml.XMLConstants;
30 import javax.xml.transform.Transformer;
31 import javax.xml.transform.TransformerConfigurationException;
32 import javax.xml.transform.TransformerException;
33 import javax.xml.transform.TransformerFactory;
34 import javax.xml.transform.stream.StreamResult;
35 import javax.xml.transform.stream.StreamSource;
36
37 import org.testng.Assert;
38 import org.testng.annotations.Listeners;
39
40 /*
41 * @test
42 * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
43 * @run testng/othervm -DrunSecMngr=true transform.SecureProcessingTest
44 * @run testng/othervm transform.SecureProcessingTest
45 * @summary Test XSLT shall report TransformerException for unsafe xsl when FEATURE_SECURE_PROCESSING is true.
46 */
47 @Listeners({jaxp.library.FilePolicy.class})
48 public class SecureProcessingTest {
49 public void testSecureProcessing() {
50 boolean _isSecureMode = System.getSecurityManager() != null;
51 // SECURE_PROCESSING == false
52
53 // the style sheet
54 InputStream xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl");
55 StreamSource xslSource = new StreamSource(xslStream);
56
57 // the xml source
58 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
59 StreamSource xmlSource = new StreamSource(xmlStream);
60
61 // the xml result
62 StringWriter xmlResultString = new StringWriter();
63 StreamResult xmlResultStream = new StreamResult(xmlResultString);
64
65 // the transformer
66 TransformerFactory transformerFactory = null;
67 Transformer transformer = null;
68
69 // transform with a non-secure Transformer
70 // expect success
71 String xmlResult;
72 if (!_isSecureMode) { // jaxp secure feature can not be turned off when
73 // security manager is present
74 try {
75 transformerFactory = TransformerFactory.newInstance();
76 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
77 transformer = transformerFactory.newTransformer(xslSource);
78 transformer.transform(xmlSource, xmlResultStream);
79 } catch (TransformerConfigurationException ex) {
80 ex.printStackTrace();
81 Assert.fail(ex.toString());
82 } catch (TransformerException ex) {
83 ex.printStackTrace();
84 Assert.fail(ex.toString());
85 }
86
87 // expected success
88 // and the result is ...
89 xmlResult = xmlResultString.toString();
90 System.out.println("Transformation result (SECURE_PROCESSING == false) = \"" + xmlResult + "\"");
91 }
92
93 // now do same transformation but with SECURE_PROCESSING == true
94 // expect Exception
95 boolean exceptionCaught = false;
96
97 // the style sheet
98 xslStream = this.getClass().getResourceAsStream("SecureProcessingTest.xsl");
99 xslSource = new StreamSource(xslStream);
100
101 // the xml source
102 xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
103 xmlSource = new StreamSource(xmlStream);
104
105 // the xml result
106 xmlResultString = new StringWriter();
107 xmlResultStream = new StreamResult(xmlResultString);
108
109 // the transformer
110 transformerFactory = null;
111 transformer = null;
112
113 // transform with a secure Transformer
114 try {
115 transformerFactory = TransformerFactory.newInstance();
116 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
117 transformer = transformerFactory.newTransformer(xslSource);
118 transformer.transform(xmlSource, xmlResultStream);
119 } catch (TransformerConfigurationException ex) {
120 ex.printStackTrace();
121 Assert.fail(ex.toString());
122 } catch (TransformerException ex) {
123 // expected failure
124 System.out.println("expected failure: " + ex.toString());
125 ex.printStackTrace(System.out);
126 exceptionCaught = true;
127 }
128
129 // unexpected success?
130 if (!exceptionCaught) {
131 // and the result is ...
132 xmlResult = xmlResultString.toString();
133 System.err.println("Transformation result (SECURE_PROCESSING == true) = \"" + xmlResult + "\"");
134 Assert.fail("SECURITY_PROCESSING == true, expected failure but got result: \"" + xmlResult + "\"");
135 }
136 }
137 }
138