Home  ›  Saxparseexception Soap Intellij Jaxp.properties Failed to Read Schema Document

Saxparseexception Soap Intellij Jaxp.properties Failed to Read Schema Document

Written By Wednesday, March 2, 2022 Add Comment Edit

Home Page

  • Coffee Software
  • Java SE Downloads
  • Java SE 8 Documentation

Coffee API for XML Processing (JAXP) Security Guide

The JDK and Java XML APIs have been improved over the years with various measures and tools that can assistance prevent applications from being exploited by XML-related attacks. This guide shows you how to apply the secure processing features of Java API for XML Processing (JAXP) to safeguard your applications and systems.

Topics

  • Potential Attacks During XML Processing
    • XML External Entity Injection Attack
      • External Resources Supported past XML, Schema, and XSLT Standards
    • Exponential Entity Expansion Attack
  • Characteristic for Secure Processing (FSP)
    • JAXP Properties for Processing Limits
      • elementAttributeLimit
      • entityExpansionLimit
      • entityReplacementLimit
      • maxElementDepth
      • maxGeneralEntitySizeLimit
      • maxOccurLimit
      • maxParameterEntitySizeLimit
      • maxXMLNameLimit
      • totalEntitySizeLimit
      • Legacy System Properties
    • JAXP Properties for External Access Restrictions
      • ACCESS_EXTERNAL_DTD
      • ACCESS_EXTERNAL_SCHEMA
      • ACCESS_EXTERNAL_STYLESHEET
      • Values of External Access Restrictions JAXP Properties
    • Scope and Order
      • Scope of Setting Feature for Secure Processing
      • Telescopic and Social club of Setting JAXP Properties
      • Telescopic of Setting External Access Restrictions
    • Relationship with Security Manager
    • When to Use Processing Limits
      • Retentivity Setting and Limits
      • Estimating the Limits Using the getEntityCountInfo Holding
    • When to Employ External Access Restrictions
    • Using JAXP Properties
      • Setting Properties Through JAXP Factories
      • Using Arrangement Properties
      • Using the jaxp.backdrop File
    • Treatment Errors from JAXP Properties
    • Streaming API for XML and JAXP Backdrop
      • StAX and Processing Limits
      • StAX and External Access Restrictions
    • Extension Functions
      • enableExtensionFunctions
  • Disabling DTD Processing
    • Disabling DTD Processing for SAX and DOM Parsers
    • Disabling DTD Processing for StAX Parsers
  • Using Coffee XML Resolvers
    • Entity Resolvers for SAX and DOM
    • XMLResolver for StAX
    • URIResolver for javax.xml.transform
    • LSResourceResolver for javax.xml.validation
  • Third-Political party Parsers
    • overrideDefaultParser
    • Example of Using a Third-Political party Parser
  • General Recommendations for JAXP Security
  • Appendix A: Glossary of Java API for XML Processing Terms and Definitions
  • Appendix B: Java and JDK XML Features and Properties Naming Convention

Potential Attacks During XML Processing

XML processing can betrayal applications to certain vulnerabilities. Amidst the most prominent and well-known attacks are the XML External Entity (XXE) injection attack and the exponential entity expansion attack, besides know as the XML flop or billion laughs assail. These attacks can potentially cause serious damage to a arrangement by denying its services or worse, lead to the loss of sensitive data.

You should evaluate your applications' requirements and operating environment to appraise the level of potential threat, for example, whether or to what extent the applications are exposed to untrusted XML sources.

XML External Entity Injection Attack

The XML, XML Schema, and XSLT standards define a number of structures that enable the embedding of external content in XML documents through organisation identifiers that reference external resources. In general, XML processors resolve and retrieve about all of these external resources; run into External Resource Supported by XML, Schema, and XSLT Standards for a list of constructs that support the inclusion of external resources. In addition, some constructs enable the execution of applications through external functions. XML External Entity (XXE) injection attacks exploit XML processors that have not been secured by restricting the external resources that it may resolve, call back, or execute. This tin issue in disclosing sensitive data such as passwords or enabling arbitrary execution of code.

External Resources Supported past XML, Schema, and XSLT Standards

XML, Schema, and XSLT standards support the post-obit constructs that crave external resources. The default behavior of the JDK XML processors is to make a connection and fetch the external resources as specified.

  • External DTD: references an external Document Type Definition (DTD), for instance:

    <!DOCTYPE root_element System "url">

  • External Entity Reference: Refers to external information, the post-obit is the syntax:

    <!ENTITY              name              Arrangement "url">

  • General entity reference, for example:

    <?xml version="1.0" standalone="no" ?> <!DOCTYPE dr. [<!ENTITY otherFile SYSTEM "otherFile.xml">]> <doc>     <a>         <b>&otherFile;</b>     </a> </doc>

  • External Parameter Entities: The post-obit is the syntax:

    <!ENTITY %              proper name              SYSTEM              uri>

    The following is an example:

    <?xml version="1.0" standalone="no"?>     <!DOCTYPE doc [       <!ENTITY % ent1 System "http://www.example.com/student.dtd">       %ent1;     ]>
  • XInclude: Includes an external infoset in an XML certificate, for example: 
    <Book xmlns:xi="http://www.w3.org/2001/XInclude">     <xi:include href=toc.xml"/>     <xi:include href=part1.xml"/>     <eleven:include href=part2.xml"/>     <xi:include href=index.xml"/> </Book>

  • References to XML Schema components using the schemaLocation aspect and import and include elements, for example:

    <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">     <xs:include schemaLocation="http://www.example.com/schema/schema1.xsd"/>     <!-- ... --> </xs:schema>
  • Combining way sheets using import or include elements, the following is the syntax: 
    <xsl:include href="include.xsl"/>
  • xml-stylesheet processing educational activity: Used to include a stylesheet in an XML certificate, for example: 
    <?xml-stylesheet href="include.xsl" type="text/xsl"?>
  • XSLT certificate() part: Used to admission nodes in an external XML document, for instance: 
    <xsl:variable select="document('DocumentFunc2.xml')"/>

Exponential Entity Expansion Attack

The exponential entity expansion attack, also know as the XML flop or billion laughs assail, is a denial-of-service assault that involves XML parsers. The basic exploit is to have several layers of nested entities, each referring to a number of entities of the next layer. The following is a sample SOAP document that contains deeply nested entity references:

<?xml version="ane.0" encoding ="UTF-viii"?> <!DOCTYPE bbb[     <!ENTITY x100 "bbb">     <!ENTITY  x99 "&x100;&x100;">     <!ENTITY  x98 "&x99;&x99;">     ...     <!ENTITY   x2 "&x3;&x3;">     <!ENTITY   x1 "&x2;&x2;"> ]> <Lather-ENV:Envelope xmlns:SOAP-ENV=...>     <Soap-ENV:Trunk>         <ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="...">             <foobar xsi:type="xsd:string">&x1;</foobar>         </ns1:aaa>     </Soap-ENV:Torso> </Soap-ENV:Envelope>

When an XML parser encounters such a document, it will try to resolve the entity annunciation past expanding the references. Considering the references are nested, the expansion becomes exponential by the number of entities each refers to. Such a process can lead the XML parser to consume 100% of CPU time and a large amount of memory, and eventually the arrangement runs out of retention.

Feature for Secure Processing (FSP)

Characteristic for Secure Processing (FSP), which is defined equally javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, is the central machinery to help safeguard XML processing. It instructs XML processors, such as parsers and transformers, to try and process XML securely.

By default, the JDK turns on FSP for DOM and SAX parsers and XML schema validators, which sets a number of processing limits on the processors. Conversely, by default, the JDK turns off FSP for transformers and XPath, which enables extension functions for XSLT and XPath.

Turn on and off FSP by calling the setFeature method on factories and setting XMLConstants.FEATURE_SECURE_PROCESSING to either true or false. For example, the following code snippet turns on FSP for SAX parsers that are created past the manufacturing plant spf by setting XMLConstants.FEATURE_SECURE_PROCESSING to truthful:

          SAXParserFactory spf = SAXParserFactory.newInstance();     spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

While FSP can be turned on and off through factories, it is always on when a Java Security Managing director is nowadays and cannot be turned off. The Java XML processors therefore volition enforce limits and restrictions when a Java Security Manager is nowadays. You tin can however adapt private properties depending on the specific needs of your applications. There are two types of JAXP properties:

  • Processing limits: Helps to baby-sit against excessive memory consumption from XML processing.
  • External access restrictions: Controls the fetching of external resources.

The following sections describe these two types of JAXP properties.

JAXP Backdrop for Processing Limits

XML processing can sometimes be a retentivity intensive operation. Applications, especially those that accept XML, XSD and XSL from untrusted sources, should have steps to guard against excessive memory consumption past using JAXP backdrop for processing limits.

Evaluate your application's requirements and operating surroundings to decide the acceptable processing limits for your organisation configurations and gear up these limits accordingly. For example, employ size-related limits to foreclose malformed XML sources from consuming large amounts of memory. Utilize EntityExpansionLimit to enable an application to command memory consumption under an acceptable level.

The JDK XML parsers find processing limits by default. Both DOM and SAX parsers have Feature for Secure Processing (FSP) turned on by default and therefore turn on the limits. The StAX parser also observes processing limits by default fifty-fifty though it doesn't support FSP.

The JDK XML processors enable you to conform processing limits individually in 3 ways:

  • Through standard XML APIs
  • By using Organisation properties
  • In the jaxp.backdrop file

Run into Using JAXP Backdrop and Scope and Lodge.

The following tables describe the JAXP properties for processing limits supported in the JDK.

elementAttributeLimit

Attribute Description
Proper name http://world wide web.oracle.com/xml/jaxp/properties/elementAttributeLimit
Definition Limits the number of attributes an chemical element can have.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is non an integer, a NumericFormatException is thrown.
Default value 10000
Organisation property jdk.xml.elementAttributeLimit
Since 7u45, viii

entityExpansionLimit

Aspect Clarification
Name http://world wide web.oracle.com/xml/jaxp/properties/entityExpansionLimit
Definition Limits the number of entity expansions.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value 64000
System property jdk.xml.entityExpansionLimit
Since 7u45, 8

entityReplacementLimit

Attribute Description
Name http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Definition Limits the total number of nodes in all entity references.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value 3000000
System belongings jdk.xml.entityReplacementLimit
Since 7u111, 8u101

maxElementDepth

Attribute Description
Proper noun http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Definition Limits the maximum element depth.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value 0
Organization property jdk.xml.maxElementDepth
Since 7u65, 8u11

maxGeneralEntitySizeLimit

Attribute Description
Name http://world wide web.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Definition Limits the maximum size of any general entities.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is non an integer, a NumericFormatException is thrown.
Default value 0
System property jdk.xml.maxGeneralEntitySizeLimit
Since 7u45, 8

maxOccurLimit

Attribute Description
Name http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Definition Limits the number of content model nodes that may be created when building a grammar for a W3C XML Schema that contains maxOccurs attributes with values other than "unbounded".
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value 5000
Organization property jdk.xml.maxOccurLimit
Since 7u45, 8

maxParameterEntitySizeLimit

Attribute Description
Name http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Definition Limits the maximum size of any parameter entities, including the result of nesting multiple parameter entities.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value million
Organisation property jdk.xml.maxParameterEntitySizeLimit
Since 7u45, 8

maxXMLNameLimit

Attribute Clarification
Name http://world wide web.oracle.com/xml/jaxp/backdrop/maxXMLNameLimit
Definition Limits the maximum size of XML names, including element proper name, aspect name and namespace prefix and URI.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value 1000
System property jdk.xml.maxXMLNameLimit
Since 7u91, 8u65

totalEntitySizeLimit

Aspect Description
Name http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Definition Limits the total size of all entities that include general and parameter entities. The size is calculated equally an aggregation of all entities.
Value A positive integer. A value less than or equal to 0 indicates no limit. If the value is not an integer, a NumericFormatException is thrown.
Default value 5x10^7
System property jdk.xml.totalEntitySizeLimit
Since 7u45, 8

Legacy System Properties

These properties, which were introduced in JDK five.0 and half dozen, keep to be supported for backward compatibility.

System Property Since New System Property
entityExpansionLimit one.five jdk.xml.entityExpansionLimit
elementAttributeLimit 1.5 jdk.xml.elementAttributeLimit
maxOccurLimit 1.six jdk.xml.maxOccur

JAXP Properties for External Access Restrictions

The JAXP Properties for external access restrictions, along with their corresponding System properties, enable you to regulate external connections.

External access restrictions enable you to specify the type of external connections that can or cannot exist permitted. The property values are a list of protocols. The JAXP processors check if a given external connection is permitted by matching the protocol with those in the list. Processors will attempt to establish the connection if it is on the listing, or reject it if not. Use these JAXP properties forth with custom resolvers (run across Using Java XML Resolvers) to reduce the risk of external connections by rejecting and resolving them with local resources.

Annotation: Explicitly turning on Feature for Secure Processing (FSP) through the API, for instance, factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true), disables all external connections.

The external access restrictions JAXP properties are defined in javax.xml.XMLConstants as follows:

  • javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD
  • javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA
  • javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET

ACCESS_EXTERNAL_DTD

Attribute Clarification
Name http://javax.xml.XMLConstants/property/accessExternalDTD
Definition Restricts access to external DTDs and external entity references to the protocols specified.
Value See Values of External Admission Restrictions JAXP Properties
Default value all, connection permitted to all protocols
Organisation holding javax.xml.accessExternalDTD

ACCESS_EXTERNAL_SCHEMA

Attribute Clarification
Name http://javax.xml.XMLConstants/belongings/accessExternalSchema
Definition Restricts access to the protocols specified for external references set past the schemaLocation attribute, import chemical element, and include element.
Value See Values of External Admission Restrictions JAXP Properties
Default value all, connection permitted to all protocols.
Organization property javax.xml.accessExternalSchema

ACCESS_EXTERNAL_STYLESHEET

Attribute Description
Name http://javax.xml.XMLConstants/property/accessExternalStylesheet
Definition Restricts access to the protocols specified for external references set by the stylesheet processing instruction, document function, and import and include elements.
Value Encounter Values of External Access Restrictions JAXP Properties
Default value all, connection permitted to all protocols.
System belongings javax.xml.accessExternalStylesheet

Values of External Access Restrictions JAXP Properties

All JAXP properties for external access restrictions have values of the aforementioned format:

  • Value: A list of protocols separated past comma. A protocol is the scheme portion of an URI, or in the instance of the JAR protocol, jar plus the scheme portion separated by colon. A scheme is defined as:

    scheme = alpha *( blastoff | digit | "+" | "-" | "." )

    where alpha = a-z and A-Z.

    The JAR protocol is defined equally: jar[:scheme]

    Protocols are case-insensitive. Any whitespace characters every bit defined by Character.isSpaceChar in the value are ignored. Examples of protocols are file, http, and jar:file.

  • Default value: The default value is implementation specific. For the JDK, the default value is all, which grants permissions to all protocols.

  • Granting all access: The keyword all grants permission to all protocols. For example, specifying javax.xml.accessExternalDTD=all in the jaxp.properties file enables a system to work equally before with no restrictions on accessing external DTDs and entity references.

  • Denying whatsoever access: An empty string ("") ways that no permission is granted to any protocol. For instance, specifying javax.xml.accessExternalDTD="" in the jaxp.properties file instructs JAXP processors to deny any external connections.

Scope and Order

Scope of Setting Characteristic for Secure Processing

Characteristic for Secure Processing (FSP) is required for XML processors including DOM, SAX, schema validation, XSLT, and XPath.

When FSP is turned on, and then default processing limits (meet JAXP Backdrop for Processing Limits) are enforced. Turning off FSP does not change the limits.

When FSP is "explicitly" turned on through the API, for instance, factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true), then external admission restrictions (see JAXP Properties for External Access Restrictions) are fix to the empty string, which means that no permission is granted to whatsoever protocol. Although FSP is turned on by default for DOM, SAX and schema validation, it is not treated every bit if "explicitly" turned on; therefore, the default value for external access restrictions is all, which ways that permission is granted to all protocols.

When a Java Security Manager is present, FSP is turned on and cannot be turned off.

Scope and Club of Setting JAXP Properties

In full general, JAXP properties set up in a smaller scope override those in a larger ane:

  • JAXP properties specified through JAXP factories or processors accept preference over System backdrop, the jaxp.properties file, and FSP.
  • System backdrop, when set, bear upon one JDK invocation but and override processing limit and external access restriction values set by default, set in the jaxp.properties file, or gear up past FSP.
  • Backdrop specified in the jaxp.properties file affect the entire JDK and override processing limit and external access restriction values fix by default or ready by FSP.

Telescopic of Setting External Admission Restrictions

External access restrictions have no effect on the relevant constructs that they attempt to restrict in the following situations:

  • When in that location is a resolver and the source returned by the resolver is not nix: This applies to entity resolvers that may exist gear up on SAX and DOM parsers, XML resolvers on StAX parsers, LSResourceResolver on SchemaFactory, a Validator or ValidatorHandler, or URIResolver on a transformer.

  • When a schema is created explicitly by calling the newSchema method from SchemaFactory.

  • When external resource are non required: For example, the following features and properties are supported by the JDK and may be used to instruct the processor to not load the external DTD or resolve external entities:

    http://apache.org/xml/features/disallow-doctype-decl truthful http://apache.org/xml/features/nonvalidating/load-external-dtd simulated http://xml.org/sax/features/external-full general-entities imitation http://xml.org/sax/features/external-parameter-entities false

Human relationship with Security Manager

JAXP properties are checked start earlier a connection is attempted, whether or not a SecurityManager is present. This means that a connection may be blocked fifty-fifty if information technology is granted permission by the SecurityManager. For example, if the JAXP backdrop are set to disallow the HTTP protocol, then they volition finer block whatsoever connection attempt even when an application has a SocketPermission.

For the purpose of restricting connections, the SecurityManager can be viewed as being at a lower level. Permissions are checked after JAXP backdrop are evaluated. For example, if an application does not have a SocketPermission, so a SecurityException will be thrown fifty-fifty if JAXP properties are set to allow HTTP connections.

When a SecurityManager is present, Characteristic for Secure Processing (FSP) is set to true. This beliefs does not turn on whatsoever external admission restrictions.

When to Use Processing Limits

When determining which processing limits to apply and what values to utilise, at the system level, consider the amount of memory available for applications and whether XML, XSD, or XSL sources from untrusted sources are accustomed and processed. At the application level, consider whether sure constructs such as DTDs are used.

Retentiveness Setting and Limits

XML processing can be very memory intensive. The amount of memory that should be allowed to be consumed depends on the requirements of the applications in a specific surroundings. Processing of malformed XML data must be prevented from consuming excessive retentivity.

The default limits are generally prepare to allow legitimate XML inputs for well-nigh applications with memory usage allowed for a small-scale hardware organization, such as a PC. It is recommended that the limits are ready to the smallest possible values, so that any malformed input tin can exist caught before it consumes big amounts of memory.

The limits are correlated, but not entirely redundant. Y'all should set advisable values for all of the limits: commonly the limits should be prepare to a much smaller value than the default.

For example, ENTITY_EXPANSION_LIMIT and GENERAL_ENTITY_SIZE_LIMIT can be set to preclude excessive entity references. But when the exact combination of the expansion and entity sizes are unknown, TOTAL_ENTITY_SIZE_LIMIT can serve as a overall control. Similarly, while TOTAL_ENTITY_SIZE_LIMIT controls the total size of a replacement text, if the text is a very large chunk of XML, ENTITY_REPLACEMENT_LIMIT sets a restriction on the total number of nodes that can appear in the text and prevents overloading the system.

Estimating the Limits Using the getEntityCountInfo Property

To assist you analyze what values y'all should prepare for the limits, a special property chosen http://world wide web.oracle.com/xml/jaxp/properties/getEntityCountInfo is available. The following code snippet, from Processing Limit Samples in The Coffee Tutorials, shows an example of using the property:

          public static final String ORACLE_JAXP_PROPERTY_PREFIX =         "http://world wide web.oracle.com/xml/jaxp/backdrop/";     // ...     public static terminal String JDK_ENTITY_COUNT_INFO =          ORACLE_JAXP_PROPERTY_PREFIX + "getEntityCountInfo";     // ...     parser.setProperty(JDK_ENTITY_COUNT_INFO, "yes");

When you run the processing limit sample with the DTD in W3C MathML 3.0, information technology prints out the post-obit tabular array:

Holding Limit Total Size Size Entity Name
ENTITY_EXPANSION_LIMIT 64000 1417 0 null
MAX_OCCUR_NODE_LIMIT 5000 0 0 aught
ELEMENT_ATTRIBUTE_LIMIT 10000 0 0 null
TOTAL_ENTITY_SIZE_LIMIT 50000000 55425 0 zilch
GENERAL_ENTITY_SIZE_LIMIT 0 0 0 null
PARAMETER_ENTITY_SIZE_LIMIT one thousand thousand 0 7303 %MultiScriptExpression
MAX_ELEMENT_DEPTH_LIMIT 0 2 0 null
MAX_NAME_LIMIT yard 13 13 zilch
ENTITY_REPLACEMENT_LIMIT 3000000 0 0 null

In this example, the total number of entity references, or the entity expansion, is 1417; the default limit is 64000. The total size of all entities is 55425; the default limit is 50000000. The biggest parameter entity is %MultiScriptExpression with a length of 7303 after all references are resolved; the default limit is 1000000.

If this is the largest file that the application is expected to process, it is recommended that the limits exist set to smaller numbers. For example, 2000 for ENTITY_EXPANSION_LIMIT, 100000 for TOTAL_ENTITY_SIZE_LIMIT, and 10000 for PARAMETER_ENTITY_SIZE_LIMIT.

When to Use External Access Restrictions

The XML processors, by default, endeavour to connect and read external resources that are referenced in XML sources. Note that this may potentially expose applications and systems to risks posed past external connections. Information technology's therefore recommended that applications consider limiting external connections with external admission restriction backdrop.

Internal applications and systems that handle only trusted XML documents may not need these restrictions. Applications and systems that rely on the Java Security Manager to regulate external connections may also have no need for them. However, proceed in mind that external admission restrictions are specific to the XML processors and at the tiptop layer of the procedure, which means that the processors check these restrictions before any connections are fabricated. They may therefore serve as an additional and more direct protection against external connection risks.

Yous tin can utilise external access restriction backdrop along with custom resolvers and catalogs (meet Using Java XML Resolvers) to finer manage external connections and reduce risks.

Even in a trusted surround with trusted sources, it's recommended that yous use both external access restrictions and resolvers to minimize dependencies on external sources.

Using JAXP Properties

Setting Properties Through JAXP Factories

If you tin modify your application'south code, or you're creating a new application, so setting JAXP properties through JAXP factories or a parser is the preferred method. Set these properties through the following interfaces:

          DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();     dbf.setAttribute(name,          value);       SAXParserFactory spf = SAXParserFactory.newInstance();     SAXParser parser = spf.newSAXParser();     parser.setProperty(name,          value);       XMLInputFactory xif = XMLInputFactory.newInstance();     xif.setProperty(name,          value);       SchemaFactory schemaFactory = SchemaFactory.newInstance(schemaLanguage);     schemaFactory.setProperty(name,          value);       TransformerFactory factory = TransformerFactory.newInstance();     factory.setAttribute(proper name,          value);

The post-obit is an example of setting processing limits:

          dbf.setAttribute(JDK_ENTITY_EXPANSION_LIMIT, "2000");     dbf.setAttribute(TOTAL_ENTITY_SIZE_LIMIT, "100000");     dbf.setAttribute(PARAMETER_ENTITY_SIZE_LIMIT, "10000");      dbf.setAttribute(JDK_MAX_ELEMENT_DEPTH, "100");

The following is an example of limiting a DOM parser to only local connections for external DTDs:

          dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "file, jar:file");

If a parser module within the application handles untrusted sources, information technology may further restrict access. The following code overrides those in the jaxp.properties file and those specified past System properties and enables the XML processor to read local files only:

          DocumentBuilderFactory dbf =     DocumentBuilderFactory.newInstance();        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "file");     // ...        SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "file");        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "file");

As described in Telescopic and Order of Setting JAXP Properties, JAXP backdrop specified through JAXP factories have the narrowest scope, affecting only the processors created by the factories, and therefore override any default settings, System properties, and those in the jaxp.backdrop file. By setting JAXP properties through JAXP factories, you can ensure that your applications behave the same way regardless of which JDK release you're using or whether JAXP properties are set through other means.

Using System Properties

System properties may exist useful if you can't alter your awarding's code.

To set JAXP properties for an entire JDK invocation, ready their corresponding Organization properties on the command line.

To set JAXP properties for only a portion of the application, ready their corresponding Organization backdrop before the portion, and so clear them subsequently. For example, if your application requires access to external DTDs and schemas, then add these lines to your application's initialization code cake:

          System.setProperty("javax.xml.accessExternalDTD", "file, http");     System.setProperty("javax.xml.accessExternalSchema", "file, http");

Then, once your awarding is washed processing XML documents or before it exits, clear out the backdrop equally follows:

          System.clearProperty("javax.xml.accessExternalDTD");        System.clearProperty("javax.xml.accessExternalSchema");

The following code, from Processing Limit Samples in The Java Tutorials, is another example that shows how to practise this for the processing limit maxGeneralEntitySizeLimit:

public static final String SP_GENERAL_ENTITY_SIZE_LIMIT =     "jdk.xml.maxGeneralEntitySizeLimit";  // Set limits using System property; // this setting will affect all processing after it'due south set Organisation.setProperty(SP_GENERAL_ENTITY_SIZE_LIMIT, "2000");  // Perform some processing here  // After information technology is done, clear the property System.clearProperty(SP_GENERAL_ENTITY_SIZE_LIMIT);

Note that processing limit values are integers. A NumberFormatException is thrown if a processing limit'due south value is not a parsable integer; encounter the method java.lang.Integer.parseInt(String).

The following instance allows the resolution of external schemas for a portion of an application:

// Allow resolution of external schemas // This setting will touch all processing after it's set System.setProperty("javax.xml.accessExternalSchema", "file, http");  // Perform some processing hither  // After it's done, articulate the property System.clearProperty("javax.xml.accessExternalSchema");

Using the jaxp.properties File

If you want to specify a JAXP property that affects every JDK invocation, and then create a configuration file named <java-dwelling>/lib/jaxp.properties and specify names and values of JAXP properties in information technology, 1 name-value pair on each line. For instance, the following jaxp.properties file sets the maxGeneralEntitySizeLimit processing limit belongings to 2000 and restricts admission to the file and HTTP protocols for external references prepare by the stylesheet processing didactics, document function, and the import and include elements.

jdk.xml.maxGeneralEntitySizeLimit=2000 javax.xml.accessExternalStylesheet=file, http

If you don't want to allow any external connection by XML processors, you can fix all access external restrictions to file only:

javax.xml.accessExternalDTD=file javax.xml.accessExternalSchema=file javax.xml.accessExternalStylesheet=file

If you want to prevent applications from accidentally reading external files through an XML processor, set the external admission restrictions equally follows in the jaxp.properties file equally follows:

javax.xml.accessExternalDTD=""    javax.xml.accessExternalSchema=""    javax.xml.accessExternalStylesheet=""

Note:

  • Utilise the respective System property in the jaxp.properties file. Processing limit Organisation backdrop take the prefix jdk.xml. External access restriction System properties have the prefix javax.xml.
  • Processing limit values are integers. A NumberFormatException is thrown if a processing limit's value is non a parsable integer; see the method java.lang.Integer.parseInt(String).

Handling Errors from JAXP Properties

Information technology is recommended that applications catch org.xml.sax.SAXNotRecognizedException when setting JAXP properties and so that the applications will work properly on older releases that don't back up them.

For case, the following method, isNewPropertySupported, from Processing Limit Samples in The Java Tutorials, detects if the sample is run with a version of the JDK that supports the JDK_GENERAL_ENTITY_SIZE_LIMIT property:

          public boolean isNewPropertySupported() {         try {             SAXParser parser = getSAXParser(false, false, false);             parser.setProperty(JDK_GENERAL_ENTITY_SIZE_LIMIT, "10000");         } take hold of (ParserConfigurationException ex) {             neglect(ex.getMessage());         } catch (SAXException ex) {             String err = ex.getMessage();             if (err.indexOf("Property '" + JDK_GENERAL_ENTITY_SIZE_LIMIT +                                            "' is not recognized.") > -one) {                 // expected before this patch                 debugPrint("New limit properties not supported. Samples not run.");                 render false;             }         }         return truthful;     }

When input files contain constructs that cause an over-the-limit exception, applications may check the error code to decide the nature of the failure. The post-obit error codes are divers for processing limits:

  • EntityExpansionLimit: JAXP00010001
  • ElementAttributeLimit: JAXP00010002
  • MaxEntitySizeLimit: JAXP00010003
  • TotalEntitySizeLimit: JAXP00010004
  • MaxXMLNameLimit: JAXP00010005
  • maxElementDepth: JAXP00010006
  • EntityReplacementLimit: JAXP00010007

The fault lawmaking has the post-obit format:

"JAXP" +          components (two digits)          +          mistake category (two digits)          +          sequence number

The code JAXP00010001, therefore, represents the JAXP base parser security limit EntityExpansionLimit.

If access to external resources is denied due to the restrictions prepare by external admission restrictions, so an exception will be thrown with an fault in the following format:

          [type of construct]: Failed to read          [blazon of construct]          "[name of the external resource]", considering "[type of restriction]"     access is not allowed due to restriction set by the          [belongings name]          property.

For example, suppose the following:

  • The ACCESS_EXTERNAL_DTD JAXP holding is prepare every bit follows:

    parser.setProperty(     "http://javax.xml.XMLConstants/property/accessExternalDTD", "file");

  • Your awarding tries to fetch an external DTD with the HTTP protocol.

  • The parser parsed an XML file that contains an external reference to http://world wide web.instance.com/dtd/properties.dtd.

The fault message would look like the following:

External DTD: Failed to read external DTD     "http://world wide web.example.com/dtd/properties.dtd", because "http"     admission is non allowed due to restriction set up past the     accessExternalDTD belongings.

Streaming API for XML and JAXP Backdrop

Streaming API for XML (StAX), JSR 173, does not support FSP nor does it support external access restrictions. However, JDK's StAX implementation supports processing limits, and StAX in the context of JAXP supports external access restrictions.

StAX and Processing Limits

JDK'south StAX implementation supports processing limits and their corresponding System properties. Even so, because FSP is not supported, you lot tin can't plow on or off processing limits for StAX by turning on or off FSP. Processing limits continue to carry as described in JAXP Properties for Processing Limits.

StAX and External Access Restrictions

JDK'southward StAX implementation supports the JAXP properties related to external access restrictions. Setting them is similar to SAX or DOM, just through the XMLInputFactory class, for instance:

          XMLInputFactory xif = XMLInputFactory.newInstance();     xif.setProperty(         "http://javax.xml.XMLConstants/property/accessExternalDTD",         "file");

For compatibility, StAX properties and features take precedence over the processing limit and external access restriction properties. For case, the SupportDTD property, when set up to faux, causes a program to throw an exception when an input file contains a DTD before it can be parsed. Therefore, processing limits and external access restrictions on DTDs volition take no issue on applications that have disabled DTDs by setting the SupportDTD property to false.

Extension Functions

Considering Feature for Secure Processing (FSP) is off past default for Transformer and XPath, extension functions are allowed. For applications processing documents from untrusted sources, it is recommended to turn off the extension functions feature. There are two ways to practise so:

  • Past setting FSP to true, for instance:

                  TransformerFactory tf = TransformerFactory.newInstance();               tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

  • By setting the enableExtensionFunctions holding to false:

                  final static String ENABLE_EXTENSION_FUNCTIONS =         "http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions";     // ...     TransformerFactory tf = TransformerFactory.newInstance();       tf.setFeature(ENABLE_EXTENSION_FUNCTIONS, faux);

In cases where extension functions are disabled as a result of installing a Java Security Managing director, applications may besides choose to re-enable the extension functions characteristic by setting the belongings enableExtensionFunctions to true. The following tabular array defines this holding:

enableExtensionFunctions

Attribute Description
Name http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Definition Determines whether XSLT and XPath extension functions are immune.
Value A boolean. True indicates that extension functions are allowed; Fake otherwise.
Default value true
System property jdk.xml.enableExtensionFunctions
Since 7u60

Disabling DTD Processing

If your applications don't require DTDs, and so consider disabling DTD processing to safeguard against many common DTD-related attacks, including denial-of-service, XML external entity (XXE), and server-side request forgery (SSRF).

Disabling DTD Processing for SAX and DOM Parsers

To disable DTD processing for SAX and DOM parsers, set the feature http://apache.org/xml/features/disallow-doctype-decl to truthful through a factory. The following code snippet disables DTDs for SAX parsers. A fatal error is thrown if the incoming XML certificate contains a DOCTYPE declaration.

          concluding static String DISALLOW_DTD =         "http://apache.org/xml/features/disallow-doctype-decl";     // ...     SAXParserFactory spf = SAXParserFactory.newInstance();           spf.setFeature(DISALLOW_DTD, truthful);

Disabling DTD Processing for StAX Parsers

To disable DTD processing for StAX parsers, set the property SupportDTD with the the XMLInputFactory.setProperty method:

          XMLInputFactory xif = XMLInputFactory.newInstance();     xif.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);

Using Java XML Resolvers

You tin register custom resolvers on a JDK XML processor to intercept any references to external resources and resolve them with local ones. This feature eliminates the need to read and access external resources, thus helping to remove a source of potential gamble.

The Java XML API supports various resolvers that you can register on JDK XML processors to resolve external resources. These resolvers includes entity resolvers for SAX and DOM parsers, XML resolvers for StAX parsers, LSResourceResolver for validation, and URIResolver for transformation.

Entity Resolvers for SAX and DOM

SAX defines an interface that DOM also supports, org.xml.sax.EntityResolver. Information technology enables applications to footstep into the entity resolution process and perform entity resolution on their own terms. The following is the interface's definition:

package org.xml.sax;  public interface EntityResolver {     public InputSource resolveEntity(String publicID, Cord systemID)         throws SAXException; }

You can then register an implementation of the interface on a SAX driver:

          EntityResolver resolver = ...;     SAXParserFactory factory = SAXParserFactory.newInstance();     mill.setNamespaceAware(truthful);     XMLReader reader = mill.newSAXParser().getXMLReader();     reader.setEntityResolver(resolver);

Alternatively, you can register it on a DOM architect:

          DocumentBuilder builder =         DocumentBuilderFactory.newInstance().newDocumentBuilder();            docBuilder.setEntityResolver(resolver);

XMLResolver for StAX

StAX defines a javax.xml.stream.XMLResolver interface:

packet javax.xml.stream;  public interface XMLResolver {     public Object resolveEntity(         Cord publicID, String systemID,         Cord baseURI, String namespace)         throws XMLStreamException; }

Y'all can annals it on a StAX manufacturing plant:

          XMLResolver resolver = ...;     XMLInputFactory xif = XMLInputFactory.newInstance();     xif.setProperty(XMLInputFactory.RESOLVER, resolver);

URIResolver for javax.xml.transform

The javax.xml.transform API supports custom resolution of external resources through the URIResolver interface:

bundle javax.xml.transform;  public interface URIResolver {     public Source resolve(String href, String base)         throws TransformerException; }

Y'all can register an implementation of URIResolver on a Transformer every bit follows:

          URIResolver resolver = ...;     TransformerFactory tf = TransformerFactory.newInstance();     Transformer t =       tf.newTransformer(new StreamSource(         new StringReader("xsl source")));     t.setURIResolver(resolver);

LSResourceResolver for javax.xml.validation

The javax.xml.validation API supports Document Object Model Level 3 Load and Relieve (DOM LS) DOM through the LSResourceResolver interface:

parcel org.w3c.dom.ls;  public interface LSResourceResolver {     public LSInput resolveResource(         String blazon, Cord namespaceURI, String publicId,         String systemId, String baseURI); }

You can register an implementation of LSResourceResolver on a SchemaFactory as follows:

          SchemaFactory schemaFactory =         SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");     LSResourceResolver resolver = ...;     schemaFactory.setResourceResolver(resolver);

Third-Party Parsers

The JDK volition ever use its system-default parser even when at that place's a third-party parser on the classpath. To override the JDK organization-default parser, ready the jdk.xml.overrideDefaultParser belongings to true.

overrideDefaultParser

Aspect Clarification
Name jdk.xml.overrideDefaultParser
Definition Enables the use of a third-party's parser implementation to override the system-default parser for the JDK'southward Transformer, Validator, and XPath implementations. The property can be set through JAXP factories, System properties, or the jaxp.properties file.
Value A boolean. Setting it to true enables third-party parser implementations to override the organisation-default implementation during XML transformation, XML validation, or XPath operations. Setting it to simulated disables the use of third-political party parser implementations. When the value is specified as a String, the returning value will be that of Boolean.parseBoolean.
Default value imitation
System belongings jdk.xml.overrideDefaultParser
Since 6u181, 7u171, 8u161, 9.0.four

Example of Using a Third-Party Parser

The following lawmaking snippets instruct the factories to utilize a third-party parser, if found on the classpath, by setting the jdk.xml.overrideDefaultParser property with the setFeature method:

          static final String JDK_OVERRIDE_PARSER = "jdk.xml.overrideDefaultParser";     ...     TransformerFactory tFactory = TransformerFactory.newInstance();     tFactory.setFeature(JDK_OVERRIDE_PARSER, true);     ...     XPathFactory xf = XPathFactory.newInstance();     xf.setFeature(JDK_OVERRIDE_PARSER, true);     ...     SchemaFactory schemaFactory =         SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);     schemaFactory.setFeature(JDK_OVERRIDE_PARSER, true);     ...     Schema schema = schemaFactory.newSchema(new File("mySchema.xsd"));     Validator validator = schema.newValidator();     validator.setFeature(JDK_OVERRIDE_PARSER, true);

The post-obit code snippet sets jdk.xml.overrideDefaultParser as a System belongings:

          System.setProperty("jdk.xml.overrideDefaultParser", "true"));

Y'all tin can add the following line to the jaxp.properties file to enable third-political party parsers:

          jdk.xml.overrideDefaultParser=true

General Recommendations for JAXP Security

The following are general recommendations for configuring JAXP properties and features to assistance secure your applications and systems:

  • Plough on Feature for Secure Processing (FSP), then adjust individual features and properties in accordance with your specific requirements.
  • For processing limits, adapt them so that they are only large plenty to accommodate the maximum amount your applications crave.
  • For external admission restrictions, reduce or eliminate your applications' reliance on external resources, including the use of resolvers, then tighten these restrictions.

Appendix A: Glossary of Java API for XML Processing Terms and Definitions

Term Definition
JAXP Java API for XML Processing
Java SE XML API APIs defined in the JAXP JSR and integrated into Java SE
Java XML API Equivalent term for Java SE XML API
Java XML Features and Properties XML-related features and properties defined past the Coffee SE specification
JDK XML The JDK implementation of the Java XML API
JDK XML Parsers The JDK implementation of the XML parsers
JDK XML Properties The JDK Implementation-only properties
FSP FEATURE_SECURE_PROCESSING

Appendix B: Java and JDK XML Features and Properties Naming Convention

Java and JDK XML features and properties are defined in the javax.xml.XMLConstants class. The features have a prefix http://javax.xml.XMLConstants/feature, the backdrop http://javax.xml.XMLConstants/property. If there is a respective Organization property, its prefix is javax.xml.

The JDK XML backdrop are JDK implementation-only properties. Their prefixes vary depending on the JDK version. The following tabular array summarizes this naming convention:

Scope API Property Prefix Arrangement Property Prefix Java SE and JDK Version
Coffee SE http://javax.xml.XMLConstants/feature
http://javax.xml.XMLConstants/holding 		javax.xml Since 1.4
JDK http://www.oracle.com/xml/jaxp/backdrop jdk.xml Since 7

paulefors1941.blogspot.com

Source: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaxp/jaxp.html

0 Response to "Saxparseexception Soap Intellij Jaxp.properties Failed to Read Schema Document"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel