1 /* 2 * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 package xpath; 25 26 import java.io.IOException; 27 import java.io.InputStream; 28 import java.util.Iterator; 29 import java.util.List; 30 31 import javax.xml.XMLConstants; 32 import javax.xml.namespace.NamespaceContext; 33 import javax.xml.namespace.QName; 34 import javax.xml.parsers.DocumentBuilder; 35 import javax.xml.parsers.DocumentBuilderFactory; 36 import javax.xml.parsers.ParserConfigurationException; 37 import javax.xml.xpath.XPath; 38 import javax.xml.xpath.XPathExpressionException; 39 import javax.xml.xpath.XPathFactory; 40 import javax.xml.xpath.XPathFactoryConfigurationException; 41 import javax.xml.xpath.XPathFunction; 42 import javax.xml.xpath.XPathFunctionException; 43 import javax.xml.xpath.XPathFunctionResolver; 44 45 import org.testng.Assert; 46 import org.testng.annotations.Listeners; 47 import org.testng.annotations.Test; 48 import org.w3c.dom.Document; 49 import org.xml.sax.SAXException; 50 51 /* 52 * @test 53 * @library /javax/xml/jaxp/libs /javax/xml/jaxp/unittest 54 * @run testng/othervm -DrunSecMngr=true xpath.SecureProcessingTest 55 * @run testng/othervm xpath.SecureProcessingTest 56 * @summary Test when FEATURE_SECURE_PROCESSING is true, calling an external function will cause XPathFunctionException. 57 */ 58 @Test 59 @Listeners({jaxp.library.FilePolicy.class}) 60 public class SecureProcessingTest { 61 public final void testSecureProcessing() { 62 boolean _isSecureMode = System.getSecurityManager() != null; 63 64 final String XPATH_EXPRESSION = "ext:helloWorld()"; 65 66 // the xml source 67 InputStream xmlStream = this.getClass().getResourceAsStream("SecureProcessingTest.xml"); 68 69 DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); 70 DocumentBuilder documentBuilder = null; 71 Document document = null; 72 73 try { 74 documentBuilder = documentBuilderFactory.newDocumentBuilder(); 75 document = documentBuilder.parse(xmlStream); 76 } catch (ParserConfigurationException parserConfigurationException) { 77 parserConfigurationException.printStackTrace(); 78 Assert.fail(parserConfigurationException.toString()); 79 } catch (SAXException saxException) { 80 saxException.printStackTrace(); 81 Assert.fail(saxException.toString()); 82 } catch (IOException ioException) { 83 ioException.printStackTrace(); 84 Assert.fail(ioException.toString()); 85 } 86 87 // the XPath 88 XPathFactory xPathFactory = null; 89 XPath xPath = null; 90 String xPathResult = null; 91 92 // SECURE_PROCESSING == false 93 // evaluate an expression with a user defined function with a non-secure 94 // XPath 95 // expect success 96 if (!_isSecureMode) { // jaxp secure feature can not be turned off when 97 // security manager is present 98 try { 99 xPathFactory = xPathFactory.newInstance(); 100 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver()); 101 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, false); 102 103 xPath = xPathFactory.newXPath(); 104 xPath.setNamespaceContext(new MyNamespaceContext()); 105 106 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document); 107 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) { 108 xPathFactoryConfigurationException.printStackTrace(); 109 Assert.fail(xPathFactoryConfigurationException.toString()); 110 } catch (XPathExpressionException xPathExpressionException) { 111 xPathExpressionException.printStackTrace(); 112 Assert.fail(xPathExpressionException.toString()); 113 } 114 115 // expected success 116 System.out.println("XPath result (SECURE_PROCESSING == false) = \"" + xPathResult + "\""); 117 } 118 // now try with SECURE_PROCESSING == true 119 // evaluate an expression with a user defined function with a secure 120 // XPath 121 // expect Exception 122 boolean securityException = false; 123 try { 124 xPathFactory = xPathFactory.newInstance(); 125 xPathFactory.setXPathFunctionResolver(new MyXPathFunctionResolver()); 126 xPathFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); 127 128 xPath = xPathFactory.newXPath(); 129 xPath.setNamespaceContext(new MyNamespaceContext()); 130 131 xPathResult = xPath.evaluate(XPATH_EXPRESSION, document); 132 } catch (XPathFactoryConfigurationException xPathFactoryConfigurationException) { 133 xPathFactoryConfigurationException.printStackTrace(); 134 Assert.fail(xPathFactoryConfigurationException.toString()); 135 } catch (XPathFunctionException xPathFunctionException) { 136 // expected security exception 137 securityException = true; 138 xPathFunctionException.printStackTrace(System.out); 139 } catch (XPathExpressionException xPathExpressionException) { 140 xPathExpressionException.printStackTrace(); 141 Assert.fail(xPathExpressionException.toString()); 142 } 143 144 // expected Exception 145 if (!securityException) { 146 Assert.fail("XPath result (SECURE_PROCESSING == true) = \"" + xPathResult + "\""); 147 } 148 } 149 150 private class MyXPathFunctionResolver implements XPathFunctionResolver { 151 152 public XPathFunction resolveFunction(QName functionName, int arity) { 153 154 // not a real ewsolver, always return a default XPathFunction 155 return new MyXPathFunction(); 156 } 157 } 158 159 private class MyXPathFunction implements XPathFunction { 160 161 public Object evaluate(List list) throws XPathFunctionException { 162 163 return "Hello World"; 164 } 165 } 166 167 private class MyNamespaceContext implements NamespaceContext { 168 169 public String getNamespaceURI(String prefix) { 170 if (prefix == null) { 171 throw new IllegalArgumentException("The prefix cannot be null."); 172 } 173 174 if (prefix.equals("ext")) { 175 return "http://ext.com"; 176 } else { 177 return null; 178 } 179 } 180 181 public String getPrefix(String namespace) { 182 183 if (namespace == null) { 184 throw new IllegalArgumentException("The namespace uri cannot be null."); 185 } 186 187 if (namespace.equals("http://ext.com")) { 188 return "ext"; 189 } else { 190 return null; 191 } 192 } 193 194 public Iterator getPrefixes(String namespace) { 195 return null; 196 } 197 } 198 } 199