Summary

Add a JAXP configuration template for creating custom configuration files that can then be used to test and verify the readiness of applications for the upcoming change to a more secure configuration by default.

Problem

The JDK has been on a path for many releases to make XML processing more secure by default. Such a change raises serious incompatibility issues, that may create an upgrade challenge for some applications and deployments that haven't embraced the various security features and configuration added over the last 10+ years. Steps need to be taken to raise awareness among developers and help them prepare their applications for the stricter configuration.

Solution

Add a JAXP Configuration template jaxp-strict.properties.template at the same location, $JAVA_HOME/conf, as the default configuration file jaxp.properties. This template can be used by users to create a custom JAXP Configuration File (https://docs.oracle.com/en/java/javase/22/docs/api/java.xml/module-summary.html#Conf_CF) that can then be used to test and verify the readiness of an application for a stricter configuration.

The settings in this file are more restrictive than those in the default configuration, jaxp.properties. In particular:

• JDKCatalog Resolve is on "strict" setting
• Extension Functions are disabled
• JAXP Limits are set to smaller numbers

A configuration file created based on this template allows deployments to test the more secure/strict behavior, identify issues such as a processor unknowingly makes outbound network connections to fetch DTD, or processes XML that relies on extension functions. It can be used to override the default configuration jaxp.properties with the system property java.xml.config.file. The following is an example demonstrating how it works:

cp $JAVA_HOME/conf/jaxp-strict.properties.template /path/to/jaxp-strict.properties
java -Djava.xml.config.file=/path/to/jaxp-strict.properties myApp

Specification

N/A