...
In order to take advantage of the secure XML processing defaults of the library, it is strongly recommended that you use our wrapper of JAXP DocumentBuilderFactory. BasicParserPool from our java-support utility library is a thread-safe implementation of a pool of DocumentBuilder instances that provide a secure default configuration, addressing the common classes of XML processing security vulnerabilities.
Basic usage of the pool implementation would be similar to the following:
| Code Block | ||
|---|---|---|
| ||
// One-time instantiation and init for the entire application.
BasicParserPool pp = new BasicParserPool();
pp.initialize();
// Runtime parsing
Document doc = getParserPool().parse(inputStream); // or Reader |
Custom JAXP-Based Processing
...
- Set
coalescingtotrue(mandatory as of OpenSAML v3.4, see warning below) - Set
ignoringCommentstotrue(mandatory as of OpenSAML v3.4, see warning below) - Set
expandEntityReferencestofalse - Set feature
http://apachejavax.org/xml.XMLConstants/featuresfeature/disallow-doctype-declto truesecure-processingtotrue - Set feature
http://javaxapache.org/xml.XMLConstants/featurefeatures/secure-processingtotruedisallow-doctype-declto true
Custom Non-JAXP-Based Processing
If you wish to use an entirely different, non-JAXP approach for XML processing, it is strongly suggested that you applyconfiguration apply configuration settings that implement the equivalent of the custom JAXP guidelines above for the XML processing library or framework in use. You are wholly responsible for determining how to do that. In particular, you must be mindful of the comment and CDATA Node requirement as warned below.
| Warning |
|---|
In particularWhichever approach you use, note that as OpenSAML v3.4 , you must not surface comment or CDATA |
...