Package overit.geocall.xml

Class ParserProvider

java.lang.Object
overit.geocall.xml.ParserProvider
public class ParserProvider extends Object
This class is an implementation of easy security settings for the main XML parsers factories and builders.
Inspired by http://openjdk.java.net/jeps/185

  • Field Details

    • secureProcessing

      protected boolean secureProcessing

    • disallowDoctypeDecl

      protected Boolean disallowDoctypeDecl

    • loadExternalDtd

      protected Boolean loadExternalDtd

    • externalGeneralEntities

      protected Boolean externalGeneralEntities

    • externalParameterEntities

      protected Boolean externalParameterEntities

    • accessExternalDtd

      protected String accessExternalDtd

    • accessExternalSchema

      protected String accessExternalSchema

    • accessExternalStylesheet

      protected String accessExternalStylesheet

    • validation

      protected boolean validation

    • catalog

      protected String catalog

    • schema

      protected Schema schema

    • spf

      protected SAXParserFactory spf

    • dbf

      protected DocumentBuilderFactory dbf

  • Constructor Details

    • ParserProvider

      public ParserProvider()
      Tool for parsing xml securely. By default it configures all the factories with FEATURE_SECURE_POLICY, but it offers more methods (most proprietary) to customize parsers to prevent security issues
      See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

    • ParserProvider

      public ParserProvider(boolean secureProcessing)
      Tool for parsing xml securely. It configures all the factories with FEATURE_SECURE_POLICY dependent on the parameter secureProcessing, but it offers more methods (most proprietary) to customize parsers to prevent security issues
      See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
      Parameters:
      secureProcessing - true for configuring the factories with the feature FEATURE_SECURE_POLICY

  • Method Details

    • setDisallowDoctypeDecl

      public void setDisallowDoctypeDecl(boolean disallowDoctypeDecl)
      Defines if allowing or not the DOCTYPE declaration in the XML to be processed
      Parameters:
      disallowDoctypeDecl - true to allow and false to get an error if the xml has any kind of DOCTYPE declaration

    • setLoadExternalDtd

      public void setLoadExternalDtd(boolean loadExternalDtd)
      Defines if allowing or not the loading of external DTD for a XML to be processed
      Parameters:
      loadExternalDtd - true to allow and false to get an error if the xml DOCTYPE refers an external file

    • setExternalGeneralEntities

      public void setExternalGeneralEntities(boolean externalGeneralEntities)
      Defines if allowing or not the loading of external general entities for a XML to be processed
      Parameters:
      externalGeneralEntities - true to allow and false to get an error resolve external general entities

    • setExternalParameterEntities

      public void setExternalParameterEntities(boolean externalParameterEntities)
      Defines if allowing or not the loading of external general entities for a XML to be processed
      Parameters:
      externalParameterEntities - true to allow and false to get an error resolve external parameter entities

    • setAccessExternalDtd

      public void setAccessExternalDtd(String accessExternalDtd)
      Defines the list of schemas permitted for external DTDs
      Parameters:
      accessExternalDtd - The comma separated list of schemas permitted for external DTDs, or ALL to permit anyone, or empty string to not permit anyone

    • setAccessExternalSchema

      public void setAccessExternalSchema(String accessExternalSchema)
      Defines the list of schemas permitted for external Schemas
      Parameters:
      accessExternalSchema - The comma separated list of schemas permitted for external schemas, or ALL to permit anyone, or empty string to not permit anyone

    • setAccessExternalStylesheet

      public void setAccessExternalStylesheet(String accessExternalStylesheet)
      Defines the list of schemas permitted for external stylesheets
      Parameters:
      accessExternalStylesheet - The comma separated list of schemas permitted for external stylesheets, or ALL to permit anyone, or empty string to not permit anyone

    • setValidation

      public void setValidation(boolean validation)
      Requests DTD or schema validation of the XML sources
      Parameters:
      validation - true for enabling DTD or schema validation

    • setCatalog

      public void setCatalog(String catalogPath, Object caller)
      Defines the catalog file to load. A catalog contains the mapping between a XSD remote URL and the corresponding local file.
      The catalog will not been used if the setValidation(boolean) has been set to false
      Parameters:
      catalogPath - Catalog's path revolved by TreeFactory. It can be relative to the caller or absolute depending by the path format. A path starting with // is absolute and already resolved. It will not be changed. A path starting with + will be translated to overit/geocall/basic/ and will be resolved. Otherwise the path will be searched all across all the layer customizations relatively to the position of the caller If the caller is null, the path is meant to be absolute, otherwise the path could meant to be absolute if it starts with leading /, or could be referred to the caller position. In both cases the path will be resolved
      caller - the object requesting the path. It can sometimes carry and Identity with a CustomLayer

    • setSchema

      public void setSchema(Schema schema)
      Sets the schema that will be used to validate the XML source during parsing. The schema will not been used if the setValidation(boolean) has been set to false.
      Parameters:
      schema - the valudating schema

    • getDocumentBuilderFactory

      public DocumentBuilderFactory getDocumentBuilderFactory() throws ParserConfigurationException
      provides a DocumentBuilderFactory based on current object configuration
      Returns:
      a DocumentBuilderFactory based on current object configuration
      Throws:
      ParserConfigurationException - if there is any problem setting up the factory to respect the current object configuration

    • newDocumentBuilder

      public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException
      creates a new DocumentBuilder based on the current object configuration
      Returns:
      a new DocumentBuilder based on the current object configuration
      Throws:
      ParserConfigurationException - if there is any problem setting up the parser to respect the current object configuration

    • getSAXParserFactory

      public SAXParserFactory getSAXParserFactory() throws ParserConfigurationException, SAXException
      provides a SAXParserFactory based on current object configuration
      Returns:
      a SAXParserFactory based on current object configuration
      Throws:
      ParserConfigurationException - if there is any problem setting up the factory to respect the current object configuration
      SAXException - if there is an exception setting up the factory to respect the current object configuration

    • newSAXParser

      public SAXParser newSAXParser() throws ParserConfigurationException, SAXException
      creates a new SAXParser based on the current object configuration
      Returns:
      a new SAXParser based on the current object configuration
      Throws:
      ParserConfigurationException - if there is any problem setting up the parser to respect the current object configuration
      SAXException - if there is an exception setting up the parser to respect the current object configuration

    • getXsdCatalogResolver

      protected org.apache.xml.resolver.tools.CatalogResolver getXsdCatalogResolver()
      Collects the xsd_catalog.xml files of every packagage in order to create a catalog of the local XSD files. Each catalog entry is a mapping between the remote xsd's URL and the relative local file.
      This is useful if the online xsd couldn't be reached.
      Returns:
      CatalogResolver created by the collected catalog.