Trail: Java API for XML Processing (JAXP)
Lesson: JAXP 1.5 and New Properties

« Previous • Trail • Next »

~~The Java Tutorials have been written for JDK 8.~~Java教程是为JDK 8编写的。~~Examples and practices described in this page don't take advantage of improvements introduced in later releases and might use technology no longer available.~~本页中描述的示例和实践没有利用后续版本中引入的改进，并且可能使用不再可用的技术。
~~See Java Language Changes for a summary of updated language features in Java SE 9 and subsequent releases.~~有关Java SE 9及其后续版本中更新的语言特性的摘要，请参阅Java语言更改。
~~See JDK Release Notes for information about new features, enhancements, and removed or deprecated options for all JDK releases.~~有关所有JDK版本的新功能、增强功能以及已删除或不推荐的选项的信息，请参阅JDK发行说明。

Scope and Order

javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING (FSP) is a required feature for XML processors including DOM, SAX, Schema Validation, XSLT and XPath. When set to true, it is recommended that implementations enable access restrictions as defined by the new properties specified above. For compatibility, JAXP 1.5 does not enable the new restrictions, although FSP is true by default for DOM, SAX and Schema Validation.

For JDK 8, the new accessExternal* properties are proposed to be set to the empty string when FSP is explicitly set. This is only the case when FSP is set through the API, for example factory.setFeature(FSP, true). Although FSP is true by default for DOM, SAX and Schema Validation it is not treated as if "explicitly" set, JDK 8 therefore does not set restrictions by default.

Properties specified in the jaxp.properties file affect all invocations of the JDK or JRE, and will override their default values, or those that may have been set by FEATURE_SECURE_PROCESSING.

System properties, when set, will affect one invocation only, and will override the default settings or those set in jaxp.properties, or those that may have been set by FEATURE_SECURE_PROCESSING.

JAXP properties specified through JAXP factories or SAXParser take preference over system properties, the jaxp.properties file, as well as javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING.

The new JAXP properties have no effect on the relevant constructs they attempt to restrict in the following situations:

When there is a resolver and the source returned by the resolver is not null. This applies to entity resolvers that may be set on SAX and DOM parsers, XML resolvers on StAX parsers, LSResourceResolver on SchemaFactory, a Validator or ValidatorHandler, or URIResolver on a transformer.
When a schema is created explicitly by calling SchemaFactory's newSchema method.

When external resources are not required. For example, the following features/properties are supported by the reference implementation and may be used to instruct the processor to not load the external DTD or resolve external entities.

http://apache.org/xml/features/disallow-doctype-decl true
http://apache.org/xml/features/nonvalidating/load-external-dtd false
http://xml.org/sax/features/external-general-entities false
http://xml.org/sax/features/external-parameter-entities false

« Previous • Trail • Next »