Summary
Add a property jdk.xml.resource.access to support grouped XML resource access via domains, wildcards, and protocols.
Problem
There are two key issues with how JAXP and the JDK currently regulate external resource access:
- Inconsistency in Security Directives:
JAXP’s primary security mechanism is FEATURE_SECURE_PROCESSING(FSP), which directs implementations to enforce secure behaviors according to a general security paradigm. However, the introduction of External Access Properties(EAPs) added protocol-based access controls in the API, diverging from the original, unified FSP-driven approach and creating inconsistency in managing secure processing.
Lack of Fine-Grained Access Controls: Both EAPs and the jdk.xml.jdkcatalog.resolve property (introduced with the JDK’s built-in catalog in JDK 22) offer only coarse access restrictions:
- External Access Properties (EAPs):
These properties allow or deny access based on network protocols (e.g., allowing all “http” resources), with global keywords (like “all” or “”) to permit or deny all access. They do not enable selection by specific domains or resource patterns.
- jdk.xml.jdkcatalog.resolve Property: This property governs access to resources not listed in the catalog, offering simple “allow”, “deny”, or “ignore” options, but lacking granularity.
- External Access Properties (EAPs):
These properties allow or deny access based on network protocols (e.g., allowing all “http” resources), with global keywords (like “all” or “”) to permit or deny all access. They do not enable selection by specific domains or resource patterns.
Both mechanisms fail to provide flexibility for fine-grained control, such as restricting access to a customized set of trusted domains. Catalogs can help by explicitly listing resources, but managing them becomes impractical with large or legacy codebases, creating operational burdens for maintainers.
Given these issues, there is a need to:
- Re-align external resource access control with the FSP-based security model.
- Introduce an improved, JDK-specific property that enables straightforward yet flexible configuration for precise external resource access in a range of situations.
Solution
Solution Overview
The proposed solution comprises three main actions:
- Reinstate the FSP-Driven Security Paradigm and Deprecate EAPs:
Return to the FEATURE_SECURE_PROCESSING (FSP) based security mechanism and deprecate External Access Properties (EAPs). Deprecation of EAPs will be addressed in a separate CSR.
- Introduce a JDK-Specific Property: jdk.xml.resource.access:
Add a new property,
jdk.xml.resource.access, to provide centralized and robust control over external resource access. This property enables comprehensive control—ranging from specific hosts and wildcard domains to entire schemes or all local/remote resources (excluding fine-grained control for individual URIs). In conjunction with Catalogs, it offers granular network accessibility configuration, allowing applications to define access policies tailored to their requirements. - Deprecate the JDK Built-in Catalog’s RESOLVE Property:
The
jdk.xml.jdkcatalog.resolveproperty, introduced in JDK 22 as part of the built-in catalog, will be deprecated. With the new comprehensive property (jdk.xml.resource.access), its signaling role is no longer necessary.
This solution aims to resolve the issues outlined in the problem statement, enhance external resource access control, and establish a mechanism that makes it straightforward for applications to remain compatible while adopting restrictions on external access.
Feature Details for jdk.xml.resource.access:
- Supports lists of hostnames for permitting access (e.g., w3.org).
- Allows wildcard domains (e.g., *.sun.com) for enabling access to all subdomains of a specified domain.
- Supports optional port number restrictions
Provides special keywords:
- @local and @remote to permit all local or remote resources, respectively.
- Scheme-based keywords such as @file, @jar:file, @jrt, @http, and @https to grant access to resources by scheme.
- Wildcard * for unrestricted access.
Empty string "" to disable all external access.
Enables both precise and broad access control to meet various application needs.
Integration with FSP:
- When FSP is explicitly enabled through an XML factory, jdk.xml.resource.access defaults to "" (denying all access).
- When FSP is not set or set to false, the property defaults to "*" (allowing unrestricted access).
- Changing FSP from true to false has no effect on this property.
Property Precedence and Migration:
Until EAPs and jdk.xml.jdkcatalog.resolve are fully removed, all three properties will coexist. Precedence rules are:
- All properties observe the precedence order defined in the java.xml module specification.
When properties are set at the same scope (e.g., via factories), the newer property (jdk.xml.resource.access) takes precedence.
For example, if an EAP is set at the factory level and jdk.xml.resource.access is set as a system property, the EAP will take precedence. If both are set at the same level, jdk.xml.resource.access will prevail.
Once deprecation is complete, jdk.xml.resource.access (together with catalog/resolver mechanisms) will be the primary mechanism for controlling external resource access.
Specification
Add a JDK specific property:
jdk.xml.resource.accessProperty Name:
jdk.xml.resource.accessSystem Property:
jdk.xml.resource.accessDescription: Defines allowed network access to external resources by specifying a list of URL patterns, each following the syntax:
[scheme:]/{0,3}host[:port]- scheme: Optional. The URI scheme, as supported by the Java URL class (e.g., http, https, ftp, file, jar, jrt).
- / (slash): Separator between scheme and host. Can be zero to three slashes, such as
file:*, file:/foo,file:///*, or http://sun.com. - host: A domain name, IPv4 or IPv6 address, or
*. The wildcard*denotes any domain or host. The entire pattern*allows any domain or unrestricted access. A wildcard*followed by a domain, such as*.sun.com, permits all subdomains of the domainsun.com. A wildcard*following an IP address, e.g. 192.168.1.*, represents all subnets. If not specified, or the entire pattern is an empty string "", no access is permitted. - port: Optional. A decimal port number, as per the URI standard, to indicate only the specified port is permitted.
Example:
jdk.xml.resource.access = https://*.sun.com, w3.org, file:*, jrt:*This configuration permits access to:
- https access to any subdomain of sun.com, e.g. java.sun.com
- resources from w3.org
- All local file resources
- Resources from the Java runtime image
jdk.xml.resource.access = *This configuration permits all access.
jdk.xml.resource.access = ""This configuration permits no access.
Value Type: String
Value: A comma-separated list of URL patterns, * (wildcard), or "" (empty string).
Default Value: *
- Deprecate JDK built-in Catalog's RESOLVE property
Marked `jdk.xml.jdkcatalog.resolve` as Deprecated, for removalThis change is documented in the module-summary and jaxp.properties. There are three sections.
Section 1: Rewrite External Resource Resolution Process section
Prior to this change: (refer to https://docs.oracle.com/en/java/javase/24/docs/api/java.xml/module-summary.html#JC_PROCESS)
External Resource Resolution Process with the built-in Catalog
The JDK creates a CatalogResolver with the built-in catalog when needed. This CatalogResolver is used as the default external resource resolver.
XML processors may use resolvers (such as EntityResolver, XMLResolver, and CatalogResolver) to handle external references. In the absence of the user-defined resolvers, the JDK XML processors fall back to the default CatalogResolver to attempt to find a resolution before making a connection to fetch the resources. The fall-back also takes place if a user-defined resolver exists but allows the process to continue when unable to resolve the resource.
If the default CatalogResolver is unable to locate a resource, it may signal the XML processors to continue processing, or skip the resource, or throw a CatalogException. The behavior is configured with the jdk.xml.jdkcatalog.resolve property.
After the change (see attached module-summary_v01.html)
External Resource Resolution Process
The XML processor resolves external resources using the following steps:
- User-defined resolver, such as EntityResolver, XMLResolver, if registered on the XML factory
- CatalogResolver if registered or if a catalog file is provided
- The JDK Built-in Catalog
- Direct fetch
If a resolver or catalog successfully resolves the resource, the process ends. Otherwise, the XML processor evaluates the signal returned to decide whether to continue, ignore, or reject the resource.
It continues to the next step if:
- User-defined resolver returns null
- CatalogResolver returns null and the RESOLVE feature is set to continue
The JDK Built-in Catalog returns null
The XML processor then will attempt a direct fetch if the resource is allowed by jdk.xml.resource.access.
It ignores the resource and returns if:
- User-defined resolver returns an empty source
- CatalogResolver returns null and the RESOLVE feature is set to ignore
It terminates and throws an exception if:
- User-defined resolver throws an exception
- CatalogResolver returns null, the RESOLVE feature is reject
- The resource is not allowed by jdk.xml.resource.access
Section 2
Add a new row to the implementation-specific properties table for the new property, refer to the attached module-summary.html#RES_ACCESS. Below is the diff:
+ * <tr>
+ * <td id="RES_ACCESS">{@systemProperty jdk.xml.resource.access}</td>
+ * <td>Specifies allowed network access through a list of hosts, wildcard domains,
+ * and special symbols.
+ * <ul>
+ * <li><b>Hosts</b>: Grants access to resources from specific hosts. Hostnames
+ * correspond to the values returned by {@link URI#getHost()}
+ * </li>
+ * <li><b>Wildcard domains</b>: Grants access to all subdomains of a domain.</li>
+ * <li><b>Special symbols</b>: Grants access to categories of resources using symbols in the format
+ * {@code @[keyword or scheme]}, where:<br>
+ * <ul>
+ * <li><b>keyword</b>: local, remote</li>
+ * <li><b>scheme</b>: file, jar:file, jrt, http, https</li>
+ * </ul>
+ * Among them:
+ * <ul>
+ * <li>{@code @local}: Allows all local access that is file, jar:file and jrt</li>
+ * <li>{@code @remote}: Allows remote access by http and https</li>
+ * <li>{@code @file}: Allows access to file URIs</li>
+ * <li>{@code @jar:file}: Allows access to jar:file URIs</li>
+ * <li>{@code @jrt}: Allows access to Java runtime jrt URIs</li>
+ * <li>{@code @http}: Allows access to http URIs</li>
+ * <li>{@code @https}: Allows access to https URIs</li>
+ * <li>{@code *}: Allows access to all resources, both remote ({@code @remote})
+ * and local ({@code @local})</li>
+ * <li>"" (empty string): Disallow all resource access</li>
+ * </ul>
+ * </li>
+ * </ul>
+ * Example:
+ * {@snippet :
+ * jdk.xml.resource.access = *.sun.com, w3.org, @local
+ * }
+ * This configuration permits access to:
+ * <ul>
+ * <li>All subdomains of sun.com, e.g. java.sun.com</li>
+ * <li>Resources from w3.org</li>
+ * <li>All local file resources</li>
+ * </ul>
+ * </td>
+ * <td style="text-align:center">String</td>
+ * <td>
+ * A comma-separated list of hosts, wildcard domains, and special symbols, case insensitive.
+ * </td>
+ * <td style="text-align:center">{@code *}</td>
+ * <td style="text-align:center">""</td>
+ * <td style="text-align:center">Yes</td>
+ * <td style="text-align:center">
+ * <a href="#DOM">DOM</a><br>
+ * <a href="#SAX">SAX</a><br>
+ * <a href="#StAX">StAX</a><br>
+ * <a href="#Validation">Validation</a><br>
+ * <a href="#Transform">Transform</a>
+ * </td>
+ * <td style="text-align:center"><a href="#Processor">Method 1</a></td>
+ * <td style="text-align:center">25</td>
+ * </tr>
Section 3 Changes to the default configuration file jaxp.properties
+# XML Resource Access Property:
+#
+# A comma-separated list of of hosts, wildcard domains,and special symbols.
+# Hosts: Grants access to resources from specific hosts. Hostnames correspond to
+# the values returned by URI#getHost()
+# Wildcard domains: Grants access to all subdomains of a domain
+# Special symbols:
+# @local: Allows all local access that is file, jar:file and jrt
+# @remote: Allows remote access by http and https
+# @file: Allows access to file URIs
+# @jar:file: Allows access to jar:file URIs
+# @jrt: Allows access to Java runtime jrt URIs
+# @http: Allows access to http URIs
+# @https: Allows access to https URIs
+# *: Allows access to all resources, both remote (@remote) and local (@local)
+# "" (empty string): Blocks all access
+#
+# Example:
+# jdk.xml.resource.access = *.sun.com, w3.org, @local
+#
+# This configuration permits access to:
+# All subdomains of sun.com, e.g. java.sun.com
+# Resources from w3.org<
+# All local file resources
+#
+# The default allows unrestricted access
+jdk.xml.resource.access=*
+#- csr of
-
JDK-8357394 Add JDK specific property for external resource access
-
- Open
-