Re: Problems with missing properties accessExternalSchema accessExternalDTD in Xerces2

Tue, 16 Jan 2024 04:31:22 -0800 

Hi Stanimir,
my use case is this: "A software developer having direct control over the application implementation" 


I might be misunderstanding the recommendation from JEP-403 then. In 
which way is "the JDK's internal copy of the Xerces XML processor" 
different from "JDK-bundled JAXP implementation"? I was assuming that 
this is this the same thing, as the JDK is using Xerces under the hood 
as its JAXP implementation?


In the code we're importing the following:

import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;

Regards,

Martin

Am 2024-01-16 11:57, schrieb Stanimir Stamenkov:


Tue, 16 Jan 2024, /Martin Wunderlich/:


So, it seems there are two possible solutions here:


- Ignore that recommendation from JEP-403, keep the included JAXP 
implementation that comes with the JRE and hope for the best ... or



As far as I get JEP-403 recommends one shouldn't refer to JDK-specific 
implementation (com.sun.org.apache.xerces.* vs. JAXP API) classes in 
code.  One shouldn't be doing it anyway.  You didn't answer my previous 
question - is that the case for you?  JEP-403 doesn't recommend against 
using the JDK-bundled JAXP implementation in general (as default JAXP 
provider in your runtime).



- Find some other parser implementation that does not rely on Xerces 
and that does implement JAXP 1.5+ (but I am not aware of one)


Any other ideas anyone?


Could you specify what's your use case:


1. A software developer having direct control over the application 
implementation;
2. A system administrator trying to configure existing application 
runtime.



In my previous reply I've suggested developers shouldn't rely on 
"accessExternalDTD" alone, for example.



For the latter case I've suggested removing Xerces (the Apache library, 
its JARs) from the runtime configuration/packaging, and relying on the 
JDK-bundled implementation.  This way one may rely on global 
"accessExternalDTD" setting, though there's a minimal chance it may 
break legitimate application functionality.





















					Reply via email to