4

I am using Piccolo jar and creating XML reader using XMLReaderFactory. I need to set the secure processing feature and hence i did this way,

xmlReader = XMLReaderFactory.createXMLReader("com.bluecast.xml.Piccolo"); xmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

But this is throwing error org.xml.sax.SAXNotRecognizedException: http://javax.xml.XMLConstants/feature/secure-processing at com.bluecast.xml.Piccolo.setFeature(Piccolo.java:937)

I had an old xercesImpl.jar which has been replaced by xercesImpl-2.9.1.jar but still getting the same error. I googled and din't find any concrete solutions.

Please help, Any ideas are appreciable.

palacsint
  • 28,416
  • 10
  • 82
  • 109
Srikanth Sridhar
  • 2,317
  • 7
  • 30
  • 50

2 Answers2

3

So the constant XMLConstants.FEATURE_SECURE_PROCESSING has value http://javax.xml.XMLConstants/feature/secure-processing

According to the source code here (the latest is 1.04), a big if else block checks to see what if this value is one of the allowable features and if not throws this exception. And in fact, it is not one of the values judged to be legal and therefore the exception is thrown.

As per SaxParserFactory, we read

All implementations are required to support the javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING feature.

Piccolo implements Parser though and not SaxParser. So all in all I would say Piccolo does not support that feature. Perhaps I would say use a different XMLReader which does support it.

demongolem
  • 9,474
  • 36
  • 90
  • 105
3

Interesting enough Oracle JDKs internal Xerces version of XMLReaderFactory for SAX2 also does not offer this feature setter. I am not sure what, or what the recommended alternative is supposed to be. There is a workaround to that like this:

    SAXParserFactory spf = SAXParserFactory.newInstance();
    spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    XMLReader reader = spf.newSAXParser().getXMLReader();

Strange. Internally it maps to an security-manager (com.sun.org.apache.xerces.internal.utils.XMLSecurityManager) with different entity expansion limits. In addition it sets the new properties XMLConstants.ACCESS_EXTERNAL_DTD and XMLConstants.ACCESS_EXTERNAL_SCHEMA to "" (no external access).

eckes
  • 10,103
  • 1
  • 59
  • 71