Thanks a lot for the reply and confirming the problem!
So, it seems there are two possible solutions here:
- Ignore that recommendation from JEP-403, keep the included JAXP
implementation that comes with the JRE and hope for the best ... or
- Find some other parser implementation that does not rely on Xerces and
that does implement JAXP 1.5+ (but I am not aware of one)
Any other ideas anyone?
Cheers,
Martin
Am 15.01.24 um 16:24 schrieb Stanimir Stamenkov:
Mon, 15 Jan 2024, /Martin/:
"Code that uses the JDK’s internal copy of the Xerces XML processor
[might fail]. Such code should instead use a standalone copy of the
Xerces library, available from Maven Central."
https://openjdk.org/jeps/403
I'm just curious, what Xerces-specific classes are you using, are you
using any?
The problem is that when including Xerces2 2.12.2 as a Maven
dependency, two properties are not recognized, which are relevant for
security (to prevent XXE attacks:
http://javax.xml.XMLConstants/property/accessExternalSchema
http://javax.xml.XMLConstants/property/accessExternalDTD
Fact is these are part of JAXP since Java 7 [1] and I think Xerces
should support them to remain reasonably relevant implementation.
There is an open Jira topic to support these properties:
https://issues.apache.org/jira/browse/XERCESJ-1654
This was created in 2015 and I am wondering what the current status
is and what a suitable workaround might be to fulfill that
requirement of JEP-403.
Not a general workaround but for code I develop I strive to implement
specific external resource resolution and its configuration by means
of setting up an explicit 'entityResolver' [2]. I don't find the
accessExternalDTD/accessExternalSchema fail-fast behavior particularly
handy for such use cases.
If you don't have control over the implementation and would only like
to influence it via system configuration, maybe avoid including Xerces
in your runtime, for the time being.
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-users-h...@xerces.apache.org
