Summary

Add an allowlist property that enables developers to define a set of external resources directly accessible by the XML processors.

Problem

The Java XML API and JDK provide two levels of control for accessing external resources: fine-grained control through resolvers, catalogs and the JDK built-in catalog, and broad restrictions via External Access Properties and the built-in catalog's RESOLVE property.

• Fine-Grained Control: Resolvers and Catalogs allow applications to specify access by matching individual URIs. This requires listing every necessary resource, making it tedious and difficult to maintain.

• Broad Restrictions: using properties to manage external access at a higher level. In the API, External Access Properties define allowed or denied protocols, while in the JDK, the jdk.xml.jdkcatalog.resolve property applies an even broader rule — either allowing or blocking all network access.

There is no intermediate level of control that allows applications to selectively permit access to a subset of network resources, such as a trusted domain or local/file resources. This lack of flexibility makes it difficult to quickly restore compatibility after enabling broad restrictions without manually listing every required resource.

Solution

Introduce an allowlist property that enables developers to define a set of allowed resources. This property would supplement the existing access control mechanism, ensuring a balance between security and flexibility. Compared to Fine-Grained Controls such as Catalogs, which require exact System Id or URI matches, this property can be used to permit a subset of network activities, such as access to a trusted domain, without the need to specify each individual resource.

In comparison with the Broad Restrictions such as External Access Properties, which grant or deny access on protocol-level rules (e.g. allowing or blocking all http access), this property enables selective access to specific sources, offering more flexibility without fully opening or closing entire categories of network access.

Feature Details

• A new property jdk.xml.resource.allowlist allowing users to specify URI prefix-based access control
• Support standard and trusted domain entries, e.g. http://www.w3c.org
• Support a select set of resources such as http://www.foo.com/dtds
• Allow referencing local files or embedded resources such as file:/, file:/myapp/dtds, jar:file/

This property provides batch access, allowing users to specify access at an intermediate level between the broad access properties and the fine-grained resolver and catalog feature.

For compatibility, this property provides the flexibility for easily regaining compatibility after enabling the broad-based access restriction without code change (as in the case of a resolver), and having to identify and list every resource required by the application.

Specification

Add an Implementation specific properties: jdk.xml.resource.allowlist.

Property Name: jdk.xml.resource.allowlist

System Property: jdk.xml.resource.allowlist

Description: Specifies a list of allowed network access by defining URI prefixes such as http://java.sun.com. Instructs an XML processor to continue reading resources matching an entry in this list, if the resources have not been resolved by a resolver or catalog.

URI prefix: refers to the leading portion of a URI string, any URI that starts with the specified prefix is considered a match. For example, an allowlist entry http://java.sun.com and http://java.sun.com/dtd/ would both match http://java.sun.com/dtd/web-app_2_3.dtd.

Value Type: String

Value: A comma-separated list of URI prefixes. The scheme and host are case insensitive, all other components are case sensitive. http://java.sun.com for example, is equivalent to HTTP://java.sun.com or http://java.Sun.com. http://java.sun.com/dtd/ however, will not match http://java.sun.com/DTD/.

Default Value: http://java.sun.com, http://xmlns.jcp.org, http://www.w3.org, file:/, jar:file:/, jrt:/

This change is documented in the module-summary. A new row for the property is added to the implementation-specific properties table. Below is the diff:

+ * <tr>
+ * <td id="ALLOWLIST">{@systemProperty jdk.xml.resource.allowlist}</td>
+ * <td>Establishes an allowlist of base URIs. Instructs an XML processor to continue
+ * reading resources with URIs prefixed by a base URI in the list, if the resources
+ * have not been resolved by a resolver or catalog.
+ * </td>
+ * <td style="text-align:center">String</td>
+ * <td rowspan="2">
+ * A comma-separated list of URI prefixes. The scheme and host are case insensitive,
+ * all other components are case sensitive. {@code http://java.sun.com} for example,
+ * is equivalent to {@code HTTP://java.sun.com} or {@code http://java.Sun.com}.
+ * {@code http://java.sun.com/dtd/} however, will not match {@code http://java.sun.com/DTD}.
+ * </td>
+ * <td style="text-align:center">{@code http://java.sun.com, http://xmlns.jcp.org, http://www.w3.org, file:/, jar:file:/, jrt:/}</td>
+ * <td style="text-align:center">No</td>
+ * <td style="text-align:center">Yes</td>
+ * <td style="text-align:center">
+ *     <a href="#DOM">DOM</a><br>
+ *     <a href="#SAX">SAX</a><br>
+ *     <a href="#StAX">StAX</a><br>
+ *     <a href="#Validation">Validation</a><br>
+ *     <a href="#Transform">Transform</a>
+ * </td>
+ * <td style="text-align:center"><a href="#Processor">Method 1</a></td>
+ * <td style="text-align:center">25</td>
+ * </tr>