The Java Zone is brought to you by Stormpath—offering a pre-built Identity API for developers. On 11/3 at 10AM PT, join Stormpath Developer Evangelist, Micah Silverman, to dive deep into using JWTs to protect microservices from CSRF and more. Register here!
'Spotlight on GlassFish 4.1' is a series of posts by David Delabassee that
highlights specific enhancements of the upcoming GlassFish 4.1 release.
It could be a new feature, a fix, a behaviour change, a tip, etc.
#4 JAXP 1.5 accessExternalSchema
GlassFish 4.1 supports recent JDK versions (JDK 7 u65+ and JDK 8
u5+). Sometime, those newer JDKs might have some side effect as they
bring new features too.
For example, several properties have been introduced in JAXP 1.5
(JDK 7u40+ and JDK 8+). Properties which are used to set restrictions
when JAXP is used to process untrusted XML contents. And by default,
those restrictions are set!
GF 4.1 is configured to offer the behavior of GF 4.0 used with an
older JAXP release (prior to JAXP 1.5), i.e. no restriction on schemas
processing. So by default, a GF 4.1 domain.xml is configured with the following JVM option to allow all schemas to be processed: <jvm-options>-Djavax.xml.accessExternalSchema=all </jvm-options>
This configuration obviously assumes that your external XML
content is trusted or at least sanitised by an XML firewall. This is
applicable to JAXP 1.5 (and above).
Building Identity Management, including authentication and authorization? Try Stormpath! Our REST API and robust Java SDK support can eliminate your security risk and can be implemented in minutes. Sign up, and never build auth again!