8356294: Enhance Path Factories

Reviewed-by: ahgross, rriggs, rhalade, lancea, naoto

Author: JoeWang-Java

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java

@@ -41,7 +41,7 @@
 /**
  * @author Rajiv Mordani
  * @author Edwin Goei
- * @LastModified: May 2025
+ * @LastModified: June 2025
  */
 public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     /** These are DocumentBuilderFactory attributes not DOM attributes */
@@ -59,11 +59,24 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     XMLSecurityManager fSecurityManager;
     XMLSecurityPropertyManager fSecurityPropertyMgr;
 
+    /**
+     * Creates a new {@code DocumentBuilderFactory} instance.
+     */
     public DocumentBuilderFactoryImpl() {
+        this(null, null);
+    }
+
+    /**
+     * Creates a new {@code DocumentBuilderFactory} instance with a {@code XMLSecurityManager}
+     * and {@code XMLSecurityPropertyManager}.
+     * @param xsm the {@code XMLSecurityManager}
+     * @param xspm the {@code XMLSecurityPropertyManager}
+     */
+    public DocumentBuilderFactoryImpl(XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) {
         JdkXmlConfig config = JdkXmlConfig.getInstance(false);
         // security (property) managers updated with current system properties
-        fSecurityManager = config.getXMLSecurityManager(true);
-        fSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
+        fSecurityManager = (xsm == null) ? config.getXMLSecurityManager(true) : xsm;
+        fSecurityPropertyMgr = (xspm == null) ? config.getXMLSecurityPropertyManager(true) : xspm;
     }
 
     /**

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathFactoryImpl.java

@@ -35,7 +35,7 @@
  *
  * @author  Ramesh Mandava
  *
- * @LastModified: May 2025
+ * @LastModified: June 2025
  */
 public  class XPathFactoryImpl extends XPathFactory {
 
@@ -72,6 +72,7 @@ public  class XPathFactoryImpl extends XPathFactory {
          * The XML security manager
          */
         private XMLSecurityManager _xmlSecMgr;
+        private XMLSecurityPropertyManager _xmlSecPropMgr;
 
         /**
          * javax.xml.xpath.XPathFactory implementation.
@@ -80,6 +81,7 @@ public XPathFactoryImpl() {
             JdkXmlConfig config = JdkXmlConfig.getInstance(false);
             _xmlSecMgr = config.getXMLSecurityManager(true);
             _featureManager = config.getXMLFeatures(true);
+            _xmlSecPropMgr = config.getXMLSecurityPropertyManager(true);
         }
 
         /**
@@ -129,7 +131,7 @@ public boolean isObjectModelSupported(String objectModel) {
          */
         public javax.xml.xpath.XPath newXPath() {
             return new XPathImpl(xPathVariableResolver, xPathFunctionResolver,
-                    !_isNotSecureProcessing, _featureManager, _xmlSecMgr);
+                    !_isNotSecureProcessing, _featureManager, _xmlSecMgr, _xmlSecPropMgr);
         }
 
         /**
@@ -183,6 +185,7 @@ public void setFeature(String name, boolean value)
                 if (value && _featureManager != null) {
                     _featureManager.setFeature(JdkXmlFeatures.XmlFeature.ENABLE_EXTENSION_FUNCTION,
                             JdkProperty.State.FSP, false);
+                    _xmlSecMgr.setSecureProcessing(value);
                 }
 
                 // all done processing feature
@@ -338,8 +341,7 @@ public void setProperty(String name, String value) {
             throw new NullPointerException(fmsg);
          }
 
-        if (_xmlSecMgr != null &&
-                _xmlSecMgr.setLimit(name, JdkProperty.State.APIPROPERTY, value)) {
+        if (JdkXmlUtils.setProperty(_xmlSecMgr, _xmlSecPropMgr, name, value)) {
             return;
         }
 

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImpl.java

@@ -36,6 +36,7 @@
 import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlFeatures;
 import jdk.xml.internal.XMLSecurityManager;
+import jdk.xml.internal.XMLSecurityPropertyManager;
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
@@ -50,7 +51,7 @@
  * New methods: evaluateExpression
  * Refactored to share code with XPathExpressionImpl.
  *
- * @LastModified: May 2025
+ * @LastModified: June 2025
  */
 public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath {
 
@@ -62,19 +63,21 @@ public class XPathImpl extends XPathImplUtil implements javax.xml.xpath.XPath {
     XPathImpl(XPathVariableResolver vr, XPathFunctionResolver fr) {
         this(vr, fr, false,
                 JdkXmlConfig.getInstance(false).getXMLFeatures(false),
-                JdkXmlConfig.getInstance(false).getXMLSecurityManager(false));
+                JdkXmlConfig.getInstance(false).getXMLSecurityManager(false),
+                JdkXmlConfig.getInstance(false).getXMLSecurityPropertyManager(false));
     }
 
     XPathImpl(XPathVariableResolver vr, XPathFunctionResolver fr,
             boolean featureSecureProcessing, JdkXmlFeatures featureManager,
-            XMLSecurityManager xmlSecMgr) {
+            XMLSecurityManager xmlSecMgr, XMLSecurityPropertyManager xmlSecPropMgr) {
         this.origVariableResolver = this.variableResolver = vr;
         this.origFunctionResolver = this.functionResolver = fr;
         this.featureSecureProcessing = featureSecureProcessing;
         this.featureManager = featureManager;
         overrideDefaultParser = featureManager.getFeature(
                 JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER);
         this.xmlSecMgr = xmlSecMgr;
+        this.xmlSecPropMgr = xmlSecPropMgr;
     }
 
 

src/java.xml/share/classes/com/sun/org/apache/xpath/internal/jaxp/XPathImplUtil.java

@@ -31,6 +31,7 @@
 import com.sun.org.apache.xpath.internal.objects.XObject;
 import com.sun.org.apache.xpath.internal.res.XPATHErrorResources;
 import java.io.IOException;
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -44,6 +45,7 @@
 import jdk.xml.internal.JdkXmlFeatures;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.XMLSecurityManager;
+import jdk.xml.internal.XMLSecurityPropertyManager;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.traversal.NodeIterator;
@@ -54,7 +56,7 @@
  * This class contains several utility methods used by XPathImpl and
  * XPathExpressionImpl
  *
- * @LastModified: Apr 2025
+ * @LastModified: June 2025
  */
 class XPathImplUtil {
     XPathFunctionResolver functionResolver;
@@ -67,6 +69,7 @@ class XPathImplUtil {
     boolean featureSecureProcessing = false;
     JdkXmlFeatures featureManager;
     XMLSecurityManager xmlSecMgr;
+    XMLSecurityPropertyManager xmlSecPropMgr;
 
     /**
      * Evaluate an XPath context using the internal XPath engine
@@ -128,7 +131,12 @@ Document getDocument(InputSource source)
             //
             // so we really have to create a fresh DocumentBuilder every time we need one
             // - KK
-            DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory(overrideDefaultParser);
+            DocumentBuilderFactory dbf = JdkXmlUtils.getDOMFactory(
+                    overrideDefaultParser, xmlSecMgr, xmlSecPropMgr);
+            if (xmlSecMgr != null && xmlSecMgr.isSecureProcessingSet()) {
+                dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
+                        xmlSecMgr.isSecureProcessing());
+            }
             return dbf.newDocumentBuilder().parse(source);
         } catch (ParserConfigurationException | SAXException | IOException e) {
             throw new XPathExpressionException (e);

src/java.xml/share/classes/jdk/xml/internal/JdkXmlUtils.java

@@ -445,6 +445,20 @@ public static Document getDOMDocument() {
      * @return a DocumentBuilderFactory instance.
      */
     public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser) {
+        return getDOMFactory(overrideDefaultParser, null, null);
+    }
+
+    /**
+     * {@return a DocumentBuilderFactory instance}
+     *
+     * @param overrideDefaultParser a flag indicating whether the system-default
+     * implementation may be overridden. If the system property of the
+     * DOM factory ID is set, override is always allowed.
+     * @param xsm XMLSecurityManager
+     * @param xspm XMLSecurityPropertyManager
+     */
+    public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser,
+            XMLSecurityManager xsm, XMLSecurityPropertyManager xspm) {
         boolean override = overrideDefaultParser;
         String spDOMFactory = SecuritySupport.getJAXPSystemProperty(DOM_FACTORY_ID);
 
@@ -453,7 +467,7 @@ public static DocumentBuilderFactory getDOMFactory(boolean overrideDefaultParser
         }
         DocumentBuilderFactory dbf
                 = !override
-                        ? new DocumentBuilderFactoryImpl()
+                        ? new DocumentBuilderFactoryImpl(xsm, xspm)
                         : DocumentBuilderFactory.newInstance();
         dbf.setNamespaceAware(true);
         // false is the default setting. This step here is for compatibility

src/java.xml/share/classes/jdk/xml/internal/XMLSecurityManager.java

@@ -244,6 +244,12 @@ public static enum Processor {
      */
     boolean secureProcessing;
 
+    /**
+     * Flag indicating the secure processing is set explicitly through factories'
+     * setFeature method and then the setSecureProcessing method
+     */
+    boolean secureProcessingSet;
+
     /**
      * States that determine if properties are set explicitly
      */
@@ -340,6 +346,7 @@ private NotFoundAction toActionType(String resolve) {
      * Setting FEATURE_SECURE_PROCESSING explicitly
      */
     public void setSecureProcessing(boolean secure) {
+        secureProcessingSet = true;
         secureProcessing = secure;
         for (Limit limit : Limit.values()) {
             if (secure) {
@@ -358,6 +365,15 @@ public boolean isSecureProcessing() {
         return secureProcessing;
     }
 
+    /**
+     * Returns the state indicating whether the Secure Processing is set explicitly,
+     * via factories' setFeature and then this class' setSecureProcessing method.
+     * @return the state indicating whether the Secure Processing is set explicitly
+     */
+    public boolean isSecureProcessingSet() {
+        return secureProcessingSet;
+    }
+
     /**
      * Finds a limit's new name with the given property name.
      * @param propertyName the property name specified