List of usage examples for javax.xml XMLConstants FEATURE_SECURE_PROCESSING
String FEATURE_SECURE_PROCESSING
To view the source code for javax.xml XMLConstants FEATURE_SECURE_PROCESSING.
Click Source Link
From source file:org.wso2.carbon.identity.query.saml.util.SAMLQueryRequestUtil.java
/** * Create DocumentBuilderFactory with the XXE and XEE prevention measurements. * * @return DocumentBuilderFactory instance *//* ww w . ja va 2s . c om*/ public static DocumentBuilderFactory getSecuredDocumentBuilderFactory() throws IdentitySAML2QueryException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false); try { dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE, false); dbf.setFeature(Constants.SAX_FEATURE_PREFIX + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); dbf.setFeature(Constants.XERCES_FEATURE_PREFIX + Constants.LOAD_EXTERNAL_DTD_FEATURE, false); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setNamespaceAware(true); dbf.setExpandEntityReferences(false); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); } catch (ParserConfigurationException e) { log.error("Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE + " or secure-processing."); throw new IdentitySAML2QueryException( "Failed to load XML Processor Feature " + Constants.EXTERNAL_GENERAL_ENTITIES_FEATURE + " or " + Constants.EXTERNAL_PARAMETER_ENTITIES_FEATURE + " or " + Constants.LOAD_EXTERNAL_DTD_FEATURE + " or secure-processing.", e); } SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); dbf.setAttribute(Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY, securityManager); return dbf; }
From source file:org.wso2.carbon.identity.saml.inbound.util.SAMLSSOUtil.java
/** * Constructing the AuthnRequest Object from a String * * @param authReqStr Decoded AuthReq String * @return AuthnRequest Object/* w w w .ja v a 2 s . co m*/ * @throws */ public static XMLObject unmarshall(String authReqStr) throws IdentityException { InputStream inputStream = null; try { doBootstrap(); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setExpandEntityReferences(false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); org.apache.xerces.util.SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager); DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder(); docBuilder.setEntityResolver(new CarbonEntityResolver()); inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8)); Document document = docBuilder.parse(inputStream); Element element = document.getDocumentElement(); UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element); return unmarshaller.unmarshall(element); } catch (Exception e) { log.error("Error in constructing AuthRequest from the encoded String", e); throw IdentityException.error("Error in constructing AuthRequest from the encoded String ", e); } finally { if (inputStream != null) { try { inputStream.close(); } catch (IOException e) { log.error("Error while closing the stream", e); } } } }
From source file:org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil.java
/** * Constructing the AuthnRequest Object from a String * * @param authReqStr Decoded AuthReq String * @return AuthnRequest Object// w w w. ja v a 2 s . c o m * @throws org.wso2.carbon.identity.base.IdentityException */ public static XMLObject unmarshall(String authReqStr) throws IdentityException { InputStream inputStream = null; try { doBootstrap(); DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setExpandEntityReferences(false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager); DocumentBuilder docBuilder = documentBuilderFactory.newDocumentBuilder(); docBuilder.setEntityResolver(new CarbonEntityResolver()); inputStream = new ByteArrayInputStream(authReqStr.trim().getBytes(StandardCharsets.UTF_8)); Document document = docBuilder.parse(inputStream); Element element = document.getDocumentElement(); UnmarshallerFactory unmarshallerFactory = Configuration.getUnmarshallerFactory(); Unmarshaller unmarshaller = unmarshallerFactory.getUnmarshaller(element); return unmarshaller.unmarshall(element); } catch (Exception e) { log.error("Error in constructing AuthRequest from the encoded String", e); throw new IdentityException("Error in constructing AuthRequest from the encoded String ", e); } finally { if (inputStream != null) { try { inputStream.close(); } catch (IOException e) { log.error("Error while closing the stream", e); } } } }
From source file:org.wso2.carbon.identity.user.registration.UserRegistrationService.java
/** * * This method provides a secured document builder which will secure XXE attacks. * * @return DocumentBuilder/*from w w w .j ava 2 s .co m*/ * @throws ParserConfigurationException */ private DocumentBuilder getSecuredDocumentBuilder() throws ParserConfigurationException { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setExpandEntityReferences(false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); SecurityManager securityManager = new SecurityManager(); securityManager.setEntityExpansionLimit(ENTITY_EXPANSION_LIMIT); documentBuilderFactory.setAttribute(SECURITY_MANAGER_PROPERTY, securityManager); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); documentBuilder.setEntityResolver(new CarbonEntityResolver()); return documentBuilder; }
From source file:org.wso2.carbon.pc.core.assets.common.AssetResource.java
/** * Parse string to xml document/*from w w w .j a v a 2 s. c om*/ * * @param xmlString * @return * @throws Exception */ protected Document stringToXML(String xmlString) throws IOException, SAXException, ParserConfigurationException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(new InputSource(new StringReader(xmlString))); }
From source file:org.wso2.carbon.pc.core.assets.common.AssetResource.java
protected Document getXMLDocument(byte[] documentoXml) throws IOException, SAXException, ParserConfigurationException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true);/* w w w.j av a 2 s .co m*/ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); return builder.parse(new ByteArrayInputStream(documentoXml)); }
From source file:org.wso2.carbon.pc.core.assets.Process.java
public Document getBpmnResource() throws ProcessCenterException { Document BPMNDocument = null; DocumentBuilderFactory factory; DocumentBuilder builder;//from w ww . ja v a 2s . com String processRegistryPath = ProcessCenterConstants.PROCESS_ASSET_ROOT + processName + "/" + processVersion; try { RegistryService registryService = ProcessCenterServerHolder.getInstance().getRegistryService(); if (registryService != null) { UserRegistry userRegistry = registryService.getGovernanceUserRegistry(username); // Getting process and bpmn resource association Association[] processAssociations = userRegistry.getAssociations(processRegistryPath, ProcessCenterConstants.PACKAGE_PROCESS_ASSOCIATION); if (processAssociations != null && processAssociations.length > 0) { Resource bpmnRegistryResource = userRegistry.get(processAssociations[0].getSourcePath()); byte[] bpmnContent = (byte[]) bpmnRegistryResource.getContent(); InputStreamProvider inputStreamProvider = new PCInputStreamProvider(bpmnContent); factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); builder = factory.newDocumentBuilder(); BPMNDocument = builder.parse(new InputSource(inputStreamProvider.getInputStream())); } } } catch (RegistryException | ParserConfigurationException | SAXException | IOException e) { String errMsg = "Error occurred while getting bpmn resources for process : " + processName + " version " + processVersion; log.error(errMsg, e); throw new ProcessCenterException(errMsg, e); } return BPMNDocument; }
From source file:org.wso2.carbon.pc.core.services.ProcessContentSearchService.java
private Document stringToXML(String xmlString) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xmlString))); return document; }
From source file:org.wso2.carbon.pc.core.transfer.ProcessImport.java
/** * Add the BPMN file of the imported process into the registry * * @param processName process name// w ww . j a v a2 s. com * @param processVersion process version * @param processDirPath process directory path * @param processAssetPath process path * @throws IOException * @throws SAXException * @throws ParserConfigurationException * @throws TransformerException * @throws RegistryException */ private void setBPMN(String processName, String processVersion, String processDirPath, String processAssetPath) throws IOException, SAXException, ParserConfigurationException, TransformerException, RegistryException { String bpmnFilePathStr = processDirPath + "/" + ProcessCenterConstants.EXPORTED_BPMN_CONTENT_FILE; Path bpmnFilePath = Paths.get(bpmnFilePathStr); String bpmnMetaDataFilePathStr = processDirPath + "/" + ProcessCenterConstants.EXPORTED_BPMN_META_FILE; Path bpmnMetaDataFilePath = Paths.get(bpmnMetaDataFilePathStr); if (Files.exists(bpmnFilePath) && Files.exists(bpmnMetaDataFilePath)) { //set bpmn content file File bpmnXMLFile = new File(bpmnFilePathStr); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder dBuilder = factory.newDocumentBuilder(); Document doc = dBuilder.parse(bpmnXMLFile); String bpmnFileContent = ProcessStore.xmlToString(doc); String bpmnContentResourcePath = ProcessCenterConstants.BPMN_CONTENT_PATH + processName + "/" + processVersion; if (bpmnFileContent != null && bpmnFileContent.length() > 0) { Resource bpmnFileResource = reg.newResource(); bpmnFileResource.setContent(bpmnFileContent); bpmnFileResource.setMediaType(MediaType.APPLICATION_XML); reg.put(bpmnContentResourcePath, bpmnFileResource); reg.addAssociation(bpmnContentResourcePath, processAssetPath, ProcessCenterConstants.ASSOCIATION_TYPE); } //set bpmn meta data file (contains path of the target bpmn file) File bpmnMetaDataXMLFile = new File(bpmnMetaDataFilePathStr); Document bpmnMetaDataDoc = dBuilder.parse(bpmnMetaDataXMLFile); String bpmnMetaDataContent = ProcessStore.xmlToString(bpmnMetaDataDoc); Resource bpmnMetaDataResource = reg.newResource(); bpmnMetaDataResource.setContent(bpmnMetaDataContent); bpmnMetaDataResource.setMediaType(ProcessCenterConstants.WSO2_BPMN_ASSET_MEDIA_TYPE); String bpmnMetaDataResPath = ProcessCenterConstants.BPMN_META_DATA_FILE_PATH + processName + "/" + processVersion; reg.put(bpmnMetaDataResPath, bpmnMetaDataResource); } }
From source file:org.wso2.carbon.policy.mgt.core.util.PolicyManagerUtil.java
public static Document convertToDocument(File file) throws PolicyManagementException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true);//www . ja v a 2s .c om try { factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); DocumentBuilder docBuilder = factory.newDocumentBuilder(); return docBuilder.parse(file); } catch (Exception e) { throw new PolicyManagementException("Error occurred while parsing file, while converting " + "to a org.w3c.dom.Document : " + e.getMessage(), e); } }