Joe Wang's weblog -- JAXP & SJSXP, and thoughts of ... little impact
A Drop of Water
Archives
« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today
Click me to subscribe
Search

Links
 


 

Today's Page Hits: 28

« The Java API for XML... | Main | Gene-Altered Apple »
Wednesday Apr 18, 2007
Feature for Secure Processing

I recently revisited the release notes for JAXP 1.4.0 and 1.4.1 and felt it's neccessary to update the compatibility guide to give it a more complete description about the current implementation of this feature.

Many of you are already familiar with this feature. But I thought it might be beneficial to people who newly come to JAXP or want to use the default XML processing in J2SE 6.



The secure feature, with a keyword FEATURE_SECURE_PROCESSING, was added in JAXP 1.3/J2SE 5 as described in the compatibility guide. The feature was designed to mitigate security risk exposed by using entity resolution and large constructs that may result in Denial-of-service attack. When the feature is turned on, default limitations are applied to entity expansion (default 64,000) and number of element attributes (10,000). These numbers were experimental in that they were tested on a general platform as having acceptable performance. Users may perform their own tests and reset the limitations. Refer to the Feature for Secure Processing section of the compatibility guide on how to reset the limitations.


Another restriction under the security feature was about extension functions. This security feature can be turned on and off using the factories. Again, please refer to the Feature for Secure Processing section of the compatibility guide.


In JAXP 1.4/J2SE 6, the security feature is turned on by default for DOM and SAX parsers. That is, the JAXP 1.4 RI sets default limitations to entity expansion and number of element attributes. JAXP 1.4 also added a limitation to maxOccur in XML schema as described in JAXP 1.4 Release Notes. The limit to maxOccur was set by default to 5,000. Again, this is experimental number with a reasoning that it happens very rarely in practical applications.



Going forward, we're re-evaluating the current security implementation and thinking that some enhancement might be neccessary. We would love to hear your experiences in securing your application and any comments on this topic. Here's a link to the JAXP Forum. Thanks.

Posted at 10:39AM Apr 18, 2007 by joehw in JAXP  |  Comments[0]

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed