Library JAXP-Based Processing Using ParserPool
In order to take advantage of the secure XML processing defaults of the library, it is strongly recommended that you use our wrapper of JAXP DocumentBuilderFactory
. BasicParserPool
from our java-support utility library is a thread-safe implementation of a pool of DocumentBuilder
instances that provide a secure default configuration, addressing the common classes of XML processing security vulnerabilities.
Custom JAXP-Based Processing
If you wish to use a different approach to parse XML into a DOM involving your own JAXP DocumentBuilderFactory
and DocumentBuilder
instances , the following DocumentBuilderFactory
settings are strongly recommended and/or mandatory for secure processing:
- Set
coalescing
totrue
(mandatory as of OpenSAML v3.4, see warning below) - Set
ignoringComments
totrue
(mandatory as of OpenSAML v3.4, see warning below) - Set
expandEntityReferences
tofalse
- Set feature
http://javax.xml.XMLConstants/feature/secure-processing
totrue
- Set feature
http://apache.org/xml/features/disallow-doctype-decl
to true
Custom Non-JAXP-Based Processing
If you wish to use an entirely different, non-JAXP approach for XML processing, it is strongly suggested that you applyconfiguration settings that implement the equivalent of the custom JAXP guidelines for the XML processing library or framework in use.
In particular, note that as OpenSAML v3.4, you must not surface comment or CDATA Node
instances in the parsed DOM. DOM elements containing either comment or CDATA Node
children will be rejected by the OpenSAML unmarshalling framework, resulting in a thrown UnmarshallingException
.