Java and Xerces: can't find property XMLConstants.ACCESS_EXTERNAL_DTD

Asked 14/11, 2018 at 11:34 Answered 10/1 at 10:23

I looked for similar posts on this blog, but couldn't find an answer to my question, so I decided to ask for help.

I wrote this simple function in Java:

 public void open(InputStream stream) throws FoliumFatalException {
        try {
            InputSource is = new InputSource(stream);
            DocumentBuilderFactory dfact = DocumentBuilderFactory.newInstance();
            
//            /* OWASP: inhibit access to External Entities */
            dfact.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); 
            dfact.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); 
            
            _doc = dfact.newDocumentBuilder().parse(is);

        } catch (Throwable t) {
            _logger.error(t, t);
            throw new FoliumFatalException("ENG-0017", "Errore di parsing su stream", t);
        }

    }

My goal is applying OWASP standards as exposed here, but I get the following error:

 java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
    at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source) ~[xercesImpl-2.8.0.jar:?]
    at agora.folium.engine.impl.j2ee.FoliumJ2eeXmlParserImpl.open(FoliumJ2eeXmlParserImpl.java:108) [classes/:?]
    at agora.folium.engine.impl.FoliumAbstractEngine.loadServices(FoliumAbstractEngine.java:268) [classes/:?]
    at agora.folium.engine.impl.j2ee.FoliumJ2eeEngineImpl.startup(FoliumJ2eeEngineImpl.java:110) [classes/:?]
    at agora.folium.engine.Folium.startup(Folium.java:258) [classes/:?]
    at agora.folium.control.impl.j2ee.FoliumActionServlet.init(FoliumActionServlet.java:94) [classes/:?]
    at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1230) [catalina.jar:7.0.85]
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1174) [catalina.jar:7.0.85]
    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1066) [catalina.jar:7.0.85]
    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5370) [catalina.jar:7.0.85]
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5668) [catalina.jar:7.0.85]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) [catalina.jar:7.0.85]
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:1015) [catalina.jar:7.0.85]
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:991) [catalina.jar:7.0.85]
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) [catalina.jar:7.0.85]
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:712) [catalina.jar:7.0.85]
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:2002) [catalina.jar:7.0.85]
    at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:1.8.0_141]
    at java.util.concurrent.FutureTask.run(Unknown Source) [?:1.8.0_141]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:1.8.0_141]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:1.8.0_141]
    at java.lang.Thread.run(Unknown Source) [?:1.8.0_141]

I'm using Eclipse Oxygen, Tomcat 7 and Java 1.8.

Healall answered 14/11, 2018 at 11:34 Comment(4)

xercesImpl-2.8.0.jar:?? Do you have a copy of Xerces in your web app? – Eveliaevelin 14/11, 2018 at 16:3

yes, I have. I even tried to change priorities in Eclipse Build Path Section, using XercesImpl before JRE System Library. – Healall 15/11, 2018 at 11:54

That might work for a regular Java application, but Tomcat has to load classes from you web app's jars. Tricks like that won't work. – Eveliaevelin 16/11, 2018 at 22:21

You can check the answer provided in this post – Lachesis 17/2, 2020 at 12:12

javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD is defined in JAXP 1.5, but Xerces does not support it. If you can't remove Xerces dependency, you should add another implementation to your classpath before Xerces.

Alternatively, since JDK contains an implementation of Xerces you can configure DocumentBuilderFactory to return the JDK version using System.properties.

System.setProperty("javax.xml.parsers.DocumentBuilderFactory",
        "com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl");

Chinchilla answered 8/6, 2020 at 12:0 Comment(1)

this is related to #45153207 so aoviding xerces and setting the DocumentBuilderFactory may also help, which it did in my case. – Suggs 8/2, 2021 at 13:20

The issue is coming due to Xerces/XercesImpl in classpath. Xerces doesn't provide support for ACCESS_EXTERNAL_DTD property.

Solution 1. If possible, remove xerces jar from the class path.

Solution 2. Use JDK default implementation

DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(
"com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl", 
  null);

Indolence answered 24/7, 2020 at 6:2 Comment(0)

Apache Xerces-J 2.12.0 and earlier implement older versions of JAXP that do not support either of the properties that you are trying to set. To block access to external entities, you could write an EntityResolver (that always throws a SAXException) and register that EntityResolver with the DocumentBuilder. See documentation here [1].

[1] http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/parsers/DocumentBuilder.html#setEntityResolver(org.xml.sax.EntityResolver)

Sarinasarine answered 23/11, 2018 at 20:11 Comment(0)

For anyone who comes across this issue whilst migrating to Java 17, removing Xerces from the classpath using Maven exclusion might not be an option. JEP-403 explicitly states the following under "Risks and Assumptions":

"Code that uses the JDK’s internal copy of the Xerces XML processor. Such code should instead use a standalone copy of the Xerces library, available from Maven Central." (otherwise, such code might fail) https://openjdk.org/jeps/403

So, if you are using one or both of these properties and need to migrate to Java 17, not sure what the solution would be to this question...

Euboea answered 10/1 at 10:23 Comment(1)

Update to this comment: JEP-403 is phrased a bit in a misleading manner. What they (presumably) meant to say is that this applies to code that is using the Xerces API directly. However, if your code is only using JAXB APIs then it should be safe to keep it as is. – Euboea 6/2 at 9:40

Our Java project was being built with Maven. As the team decided to integrate SonarQube in the pipeline, we faced something similar. "SonarQube doesn't run your tests or generate reports. It only imports pre-generated reports" (more on that here). In the case of Java/Kotlin/Scala/JVM, SonarQube needs some "JaCoCo XML coverage report". So, we had to add a dependency to our pom.xml:

<dependency>
  <groupId>org.jacoco</groupId>
  <artifactId>jacoco-maven-plugin</artifactId>
  <version>${jacoco.version}</version>
</dependency>

After some tweaking, we had it all up and running. But some tests were failing with "java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized. at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source)...".

Long story short, the solution was to leave xerces out of the picture, as already stated in other answers:

<dependency>
  <groupId>org.jacoco</groupId>
  <artifactId>jacoco-maven-plugin</artifactId>
  <version>${jacoco.version}</version>
  <exclusions>
    <exclusion>
      <groupId>xerces</groupId>
      <artifactId>xercesImpl</artifactId>
    </exclusion>
  </exclusions>
</dependency>

Pignus answered 23/2, 2021 at 15:26 Comment(0)

Recommended topics

Hot tags