Summary

Disallow, by default, XML processors from making outbound network connections.

Problem

Processing an XML document with a reference to an external entity may require making an outbound network connection to resolve the reference. An XML document that references an external Document Type Definition (DTD) is one case where the processing may make an outbound network connection. Other cases arise with references to an

XML eXternal Entity (XXE),
XML Schema Definition (XSD), or
eXtensible Stylesheet Language Transformations (XSLT).

External XML entities are an integral part of XML technology, enabling modularity, reusability and consistency within XML-base systems. However, it does come with several drawbacks in availability, performance and security. It would be desirable to disallow XML processors in the JDK to make outbound network connections by default. This would improve availability, performance, and security both for Java applications and third parties hosting external XML resources. Using outbound network connections would still be possible, but only after being deliberately enabled by granting certain explicit permissions.

Solution

Set a strict default configuration on the JDK by changing the default setting of the JDK Catalog's resolve property jdk.xml.jdkcatalog.resolve from continue to strict.

This change will disallow XML processors from making outbound network connections unless the external entities are in the JDK built-in Catalog. To resolve migration issues, applications may choose solutions already provided by the JDK, that include:

• XML Catalogs
• XML Resolvers such as Entity Resolvers for SAX and DOM
• The built-in JDK Catalog (the JDK Catalog)
• External Access Properties

If these solutions are not feasible, applications may also opt to regain compatibility by overriding the JDK default configuration with a custom JAXP Configuration File. A custom configuration file can be created by copying the JAXP Configuration template jaxp-compat.properties.template provided in the JDK, and then set up with the system property java.xml.config.file. The following is an example demonstrating how it works:

cp $JAVA_HOME/conf/jaxp-compat.properties.template /path/to/jaxp-compat.properties
java -Djava.xml.config.file=/path/to/jaxp-compat.properties myApp

Applications may also reset the JDK Catalog's resolve property jdk.xml.jdkcatalog.resolve to continue to reverse the change proposed in this solution:

   java -Djdk.xml.jdkcatalog.resolve=continue myApp 

Specification

The JDK Catalog's Resolve property jdk.xml.jdkcatalog.resolve is set as follows:

• set the default value of the property to "strict"

• set the value of the resolve property to "strict" in the default JAXP Configuration File jaxp.properties. The setting will be as the following:

  jdk.xml.jdkcatalog.resolve=strict

Add a JAXP Configuration template jaxp-compat.properties.template located at the same location, $JAVA_HOME/conf, as the default configuration file jaxp.properties. The settings in the configuration are similar to those in the default configuration prior to this change except that the JDKCatalog' Resolve property is set to "continue". The template is as attached.