1 /*
2 * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation.
8 *
9 * This code is distributed in the hope that it will be useful, but WITHOUT
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * version 2 for more details (a copy is included in the LICENSE file that
13 * accompanied this code).
14 *
15 * You should have received a copy of the GNU General Public License version
16 * 2 along with this work; if not, write to the Free Software Foundation,
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18 *
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
20 * or visit www.oracle.com if you need additional information or have any
21 * questions.
22 */
23
24 package xpath;
25
26 import java.io.IOException;
27 import java.io.InputStream;
28 import java.util.Iterator;
29 import java.util.List;
30
31 import javax.xml.XMLConstants;
32 import javax.xml.namespace.NamespaceContext;
33 import javax.xml.namespace.QName;
34 import javax.xml.parsers.DocumentBuilder;
35 import javax.xml.parsers.DocumentBuilderFactory;
36 import javax.xml.parsers.ParserConfigurationException;
37 import javax.xml.xpath.XPath;
38 import javax.xml.xpath.XPathExpressionException;
39 import javax.xml.xpath.XPathFactory;
40 import javax.xml.xpath.XPathFactoryConfigurationException;
41 import javax.xml.xpath.XPathFunction;
42 import javax.xml.xpath.XPathFunctionException;
43 import javax.xml.xpath.XPathFunctionResolver;
44
45 import org.testng.Assert;
46 import org.testng.annotations.Listeners;
47 import org.testng.annotations.Test;
48 import org.w3c.dom.Document;
49 import org.xml.sax.SAXException;
50
51 /*
52 * @test
53 * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest
54 * @run testng/othervm -DrunSecMngr=true xpath.SecureProcessingTest
55 * @run testng/othervm xpath.SecureProcessingTest
56 * @summary Test when FEATURE_SECURE_PROCESSING is true, calling an external function will cause XPathFunctionException.
57 */
58 @Test
59 @Listeners({jaxp.library.FilePolicy.class})
60 public class SecureProcessingTest {
61 public final void testSecureProcessing() {
62 boolean _isSecureMode = System.getSecurityManager() != null;
63
64 final String XPATH_EXPRESSION = "ext:helloWorld()";
65
66 // the xml source
67 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml");
68
69 DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
70 DocumentBuilder documentBuilder = null;
71 Document document = null;
72
73 try {
74 documentBuilder = documentBuilderFactory.newDocumentBuilder();
75 document = documentBuilder.parse(xmlStream);
76 } catch (ParserConfigurationException parserConfigurationException) {
77 parserConfigurationException.printStackTrace();
78 Assert.fail(parserConfigurationException.toString());
79 } catch (SAXException saxException) {
80 saxException.printStackTrace();
81 Assert.fail(saxException.toString());
82 } catch (IOException ioException) {
83 ioException.printStackTrace();
84 Assert.fail(ioException.toString());
85 }
86
87 // the XPath
88 XPathFactory xPathFactory = null;
89 XPath xPath = null;
90 String xPathResult = null;
91
92 // SECURE_PROCESSING == false
93 // evaluate an expression with a user defined function with a non-secure
94 // XPath
95 // expect success
96 if (!_isSecureMode) { // jaxp secure feature can not be turned off when
97 // security manager is present
98 try {
99 xPathFactory = xPathFactory.newInstance();
100 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver());
101 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false);
102
103 xPath = xPathFactory.newXPath();
104 xPath.setNamespaceContext(new MyNamespaceContext());
105
106 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document);
107 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) {
108 xPathFactoryConfigurationException.printStackTrace();
109 Assert.fail(xPathFactoryConfigurationException.toString());
110 } catch (XPathExpressionException xPathExpressionException) {
111 xPathExpressionException.printStackTrace();
112 Assert.fail(xPathExpressionException.toString());
113 }
114
115 // expected success
116 System.out.println("XPath result (SECURE_PROCESSING == false) = \"" + xPathResult + "\"");
117 }
118 // now try with SECURE_PROCESSING == true
119 // evaluate an expression with a user defined function with a secure
120 // XPath
121 // expect Exception
122 boolean securityException = false;
123 try {
124 xPathFactory = xPathFactory.newInstance();
125 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver());
126 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
127
128 xPath = xPathFactory.newXPath();
129 xPath.setNamespaceContext(new MyNamespaceContext());
130
131 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document);
132 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) {
133 xPathFactoryConfigurationException.printStackTrace();
134 Assert.fail(xPathFactoryConfigurationException.toString());
135 } catch (XPathFunctionException xPathFunctionException) {
136 // expected security exception
137 securityException = true;
138 xPathFunctionException.printStackTrace(System.out);
139 } catch (XPathExpressionException xPathExpressionException) {
140 xPathExpressionException.printStackTrace();
141 Assert.fail(xPathExpressionException.toString());
142 }
143
144 // expected Exception
145 if (!securityException) {
146 Assert.fail("XPath result (SECURE_PROCESSING == true) = \"" + xPathResult + "\"");
147 }
148 }
149
150 private class MyXPathFunctionResolver implements XPathFunctionResolver {
151
152 public XPathFunction resolveFunction(QName functionName, int arity) {
153
154 // not a real ewsolver, always return a default XPathFunction
155 return new MyXPathFunction();
156 }
157 }
158
159 private class MyXPathFunction implements XPathFunction {
160
161 public Object evaluate(List list) throws XPathFunctionException {
162
163 return "Hello World";
164 }
165 }
166
167 private class MyNamespaceContext implements NamespaceContext {
168
169 public String getNamespaceURI(String prefix) {
170 if (prefix == null) {
171 throw new IllegalArgumentException("The prefix cannot be null.");
172 }
173
174 if (prefix.equals("ext")) {
175 return "http://ext.com";
176 } else {
177 return null;
178 }
179 }
180
181 public String getPrefix(String namespace) {
182
183 if (namespace == null) {
184 throw new IllegalArgumentException("The namespace uri cannot be null.");
185 }
186
187 if (namespace.equals("http://ext.com")) {
188 return "ext";
189 } else {
190 return null;
191 }
192 }
193
194 public Iterator getPrefixes(String namespace) {
195 return null;
196 }
197 }
198 }
199