Example usage for javax.xml XMLConstants FEATURE_SECURE_PROCESSING

List of usage examples for javax.xml XMLConstants FEATURE_SECURE_PROCESSING

  1. HOME
  2. Java
  3. javax
  4. javax.xml.*
  5. XMLConstants
  6. FEATURE_SECURE_PROCESSING

Introduction

In this page you can find the example usage for javax.xml XMLConstants FEATURE_SECURE_PROCESSING.

Prototype

String FEATURE_SECURE_PROCESSING

To view the source code for javax.xml XMLConstants FEATURE_SECURE_PROCESSING.

Click Source Link

Document

Feature for secure processing.

Usage

From source file:Main.java

public static Document getXmlDocFromString(String xml) throws Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);/*from   w w  w  . j a  va2  s .c  om*/
    dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder builder = dbf.newDocumentBuilder();
    builder.setEntityResolver(new EntityResolver() {
        @Override
        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
            return new InputSource(new StringReader(""));
        }
    });
    return builder.parse(new ByteArrayInputStream(xml.getBytes("UTF-8")));
}

From source file:Main.java

/**
 * Constructs a new document builder with security features enabled.
 *
 * @return a new document builder//from  ww w . j a  va 2  s .  c  o m
 * @throws ParserConfigurationException thrown if there is a parser
 * configuration exception
 */
public static DocumentBuilder buildSecureDocumentBuilder() throws ParserConfigurationException {
    final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    return factory.newDocumentBuilder();
}

From source file:Main.java

public static DocumentBuilder getDocumentBuilder(boolean secure) throws ParserConfigurationException {
    String feature;//from www  .java 2  s.co m
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

    feature = "http://xml.org/sax/features/external-general-entities";
    factory.setFeature(feature, false);
    feature = "http://xml.org/sax/features/external-parameter-entities";
    factory.setFeature(feature, false);
    feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
    factory.setFeature(feature, false);
    feature = "http://apache.org/xml/features/disallow-doctype-decl";
    factory.setFeature(feature, true);
    factory.setXIncludeAware(false);
    factory.setExpandEntityReferences(false);
    factory.setNamespaceAware(true);
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, secure);
    return factory.newDocumentBuilder();
}

From source file:Main.java

public static Document readXml(InputStream input)
        throws ParserConfigurationException, IOException, SAXException {
    DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
    f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
    DocumentBuilder b = f.newDocumentBuilder();
    return b.parse(input);
}

From source file:mondrian.util.XmlParserFactoryProducer.java

/**
 * Creates an instance of {@link DocumentBuilderFactory} class
 * with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property.
 * Enabling this feature prevents from some XXE attacks (e.g. XML bomb)
 * See PPP-3506 for more details./*www.  j av  a2  s  . c om*/
 *
 * @throws ParserConfigurationException if feature can't be enabled
 *
 */
public static DocumentBuilderFactory createSecureDocBuilderFactory() throws ParserConfigurationException {
    DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
    docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

    return docBuilderFactory;
}

From source file:Main.java

public static DocumentBuilder newDocumentBuilder(Boolean disallowDoctypeDecl)
        throws ParserConfigurationException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);/*from   w ww  .j a  va 2s.  com*/
    dbf.setValidating(false);
    // avoid external entity attacks
    dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
    dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    boolean isDissalowDoctypeDecl = disallowDoctypeDecl == null ? true : disallowDoctypeDecl;
    dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", isDissalowDoctypeDecl);
    // avoid overflow attacks
    dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

    return dbf.newDocumentBuilder();
}

From source file:Main.java

public static Document getXmlDocFromURI(InputStream is) throws Exception {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    dbf.setNamespaceAware(true);/*from   w  w w.  j a v a  2s.  co  m*/
    dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    DocumentBuilder builder = dbf.newDocumentBuilder();
    builder.setEntityResolver(new EntityResolver() {
        @Override
        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
            return new InputSource(new StringReader(""));
        }
    });
    return builder.parse(is);
}

From source file:Main.java

public static Document readXml(InputSource source)
        throws ParserConfigurationException, IOException, SAXException {
    DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
    f.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
    DocumentBuilder b = f.newDocumentBuilder();
    return b.parse(source);
}

From source file:mondrian.util.XmlParserFactoryProducer.java

/**
 * Creates an instance of {@link SAXParserFactory} class with enabled {@link XMLConstants#FEATURE_SECURE_PROCESSING} property.
 * Enabling this feature prevents from some XXE attacks (e.g. XML bomb)
 *
 * @throws ParserConfigurationException if a parser cannot
 *     be created which satisfies the requested configuration.
 *
 * @throws SAXNotRecognizedException When the underlying XMLReader does
 *            not recognize the property name.
 *
 * @throws SAXNotSupportedException When the underlying XMLReader
 *            recognizes the property name but doesn't support the
 *            property.//from  www .  j  av a2  s .  com
 */
public static SAXParserFactory createSecureSAXParserFactory()
        throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
    SAXParserFactory factory = SAXParserFactory.newInstance();
    factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
    factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
    factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
    return factory;
}

From source file:com.lucidworks.hadoop.ingest.util.EmptyEntityResolver.java

/**
 * Configures the given {@link SAXParserFactory} to do secure XML processing of untrusted sources.
 * It is required to also set {@link #SAX_INSTANCE} on the created {@link org.xml.sax.XMLReader}.
 *
 * @see #SAX_INSTANCE//from w  w w  .  j a  va 2  s .  c  o  m
 */
public static void configureSAXParserFactory(SAXParserFactory saxFactory) {
    // don't enable validation of DTDs:
    saxFactory.setValidating(false);
    // enable secure processing:
    trySetSAXFeature(saxFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
}