foundation/org.eclipse.persistence.core/src/main/java/org/eclipse/persistence/internal/helper/XMLHelper.java - eclipselink - Git at Google

 /*
  * Copyright (c) 2016, 2020 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License v. 2.0 which is available at
  * http://www.eclipse.org/legal/epl-2.0,
  * or the Eclipse Distribution License v. 1.0 which is available at
  * http://www.eclipse.org/org/documents/edl-v10.php.
  *
  * SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
  */

 // Contributors:
 //     Oracle - initial API and implementation
 package org.eclipse.persistence.internal.helper;

 import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.validation.SchemaFactory;
 import javax.xml.xpath.XPathFactory;
 import javax.xml.xpath.XPathFactoryConfigurationException;

 import org.eclipse.persistence.internal.oxm.OXMSystemProperties;
 import org.eclipse.persistence.internal.oxm.record.XMLReader;
 import org.eclipse.persistence.internal.security.PrivilegedAccessHelper;
 import org.eclipse.persistence.logging.AbstractSessionLog;
 import org.eclipse.persistence.logging.SessionLog;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.SAXNotSupportedException;

 public class XMLHelper {

     // LJ - does not cache logger to allow its dynamic reconfiguration

     // not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used
     public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
     public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";

     private static final String PROP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
     private static final String PROP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";

     /**
      * If true XML security features when parsing XML documents will be disabled.
      * The default value is false.
      *
      * Boolean
      * @since 2.6.3
      */
     private static final boolean XML_SECURITY_DISABLED = PrivilegedAccessHelper.getSystemPropertyBoolean(OXMSystemProperties.DISABLE_SECURE_PROCESSING, false);

     private static boolean isXMLSecurityDisabled(boolean runtimeSetting) {
         return XML_SECURITY_DISABLED || runtimeSetting;
     }

     /**
      * Returns properly configured (e.g. security features) schema factory
      * - namespaceAware == true
      * - securityProcessing == is set based on security processing property, default is true
      */
     public static SchemaFactory createSchemaFactory(final String language, boolean disableSecureProcessing) throws IllegalStateException {
         SessionLog logger = AbstractSessionLog.getLog();
         try {
             SchemaFactory factory = SchemaFactory.newInstance(language);

             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "schema_factory", new Object[] {factory});
             }
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
             return factory;
         } catch (SAXNotRecognizedException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException(ex);
         } catch (SAXNotSupportedException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException(ex);
         } catch (AbstractMethodError er) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
             throw new IllegalStateException(er);
         }
     }

     /**
      * Returns properly configured (e.g. security features) parser factory
      * - namespaceAware == true
      * - securityProcessing == is set based on security processing property, default is true
      */
     public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException {
         SessionLog logger = AbstractSessionLog.getLog();
         try {
             SAXParserFactory factory = SAXParserFactory.newInstance();
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "saxparser_factory", new Object[] {factory});
             }
             factory.setNamespaceAware(true);
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
             return factory;
         } catch (ParserConfigurationException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException( ex);
         } catch (SAXNotRecognizedException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException( ex);
         } catch (SAXNotSupportedException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException( ex);
         } catch (AbstractMethodError er) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
             throw new IllegalStateException(er);
         }
     }

     /**
      * Returns properly configured (e.g. security features) factory
      * - securityProcessing == is set based on security processing property, default is true
      */
     public static XPathFactory createXPathFactory(boolean disableSecureProcessing) throws IllegalStateException {
         SessionLog logger = AbstractSessionLog.getLog();
         try {
             XPathFactory factory = XPathFactory.newInstance();
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "xpath_factory", new Object[] {factory});
             }
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
             return factory;
         } catch (XPathFactoryConfigurationException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException( ex);
         } catch (AbstractMethodError er) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
             throw new IllegalStateException(er);
         }
     }

     /**
      * Returns properly configured (e.g. security features) factory
      * - securityProcessing == is set based on security processing property, default is true
      */
     public static TransformerFactory createTransformerFactory(boolean disableSecureProcessing) throws IllegalStateException {
         SessionLog logger = AbstractSessionLog.getLog();
         try {
             TransformerFactory factory = TransformerFactory.newInstance();
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "transformer_factory", new Object[] {factory});
             }
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
             return factory;
         } catch (TransformerConfigurationException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException( ex);
         } catch (AbstractMethodError er) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
             throw new IllegalStateException(er);
         }
     }

     /**
      * Returns properly configured (e.g. security features) factory
      * - namespaceAware == true
      * - securityProcessing == is set based on security processing property, default is true
      */
     public static DocumentBuilderFactory createDocumentBuilderFactory(boolean disableSecureProcessing) throws IllegalStateException {
         SessionLog logger = AbstractSessionLog.getLog();
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "documentbuilder_factory", new Object[] {factory});
             }
             factory.setNamespaceAware(true);
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
             return factory;
         } catch (ParserConfigurationException ex) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
             throw new IllegalStateException( ex);
         } catch (AbstractMethodError er) {
             logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
             throw new IllegalStateException(er);
         }
     }

     public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
             }
             return sf;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
             }
             return sf;
         }

         try {
             sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
             }
         } catch (SAXException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return sf;
     }

     public static TransformerFactory allowExternalAccess(TransformerFactory tf, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
             }
             return tf;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
             }
             return tf;
         }

         try {
             tf.setAttribute(ACCESS_EXTERNAL_SCHEMA, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
             }
         } catch (IllegalArgumentException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return tf;
     }

     public static DocumentBuilderFactory allowExternalAccess(DocumentBuilderFactory dbf, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
             }
             return dbf;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
             }
             return dbf;
         }

         try {
             dbf.setAttribute(ACCESS_EXTERNAL_SCHEMA, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
             }
         } catch (IllegalArgumentException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return dbf;
     }

     public static XMLReader allowExternalAccess(XMLReader xmlReader, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
             }
             return xmlReader;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
             }
             return xmlReader;
         }

         try {
             xmlReader.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
             }
         } catch (SAXException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return xmlReader;
     }

     public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
             }
             return sf;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
             }
             return sf;
         }

         try {
             sf.setProperty(ACCESS_EXTERNAL_DTD, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
             }
         } catch (SAXException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return sf;
     }

     public static DocumentBuilderFactory allowExternalDTDAccess(DocumentBuilderFactory dbf, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
             }
             return dbf;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
             }
             return dbf;
         }

         try {
             dbf.setAttribute(ACCESS_EXTERNAL_DTD, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
             }
         } catch (IllegalArgumentException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return dbf;
     }

     public static XMLReader allowExternalDTDAccess(XMLReader xmlReader, String value, boolean disableSecureProcessing) {
         SessionLog logger = AbstractSessionLog.getLog();
         // if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
         if (isXMLSecurityDisabled(disableSecureProcessing)) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
             }
             return xmlReader;
         }

         if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
             }
             return xmlReader;
         }

         try {
             xmlReader.setProperty(ACCESS_EXTERNAL_DTD, value);
             if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
                 logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
             }
         } catch (SAXException ignored) {
             // nothing to do; support depends on version JDK or SAX implementation
             if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
                 logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
                 logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
             }
         }
         return xmlReader;
     }
 }
	/*
	* Copyright (c) 2016, 2020 Oracle and/or its affiliates. All rights reserved.
	*
	* This program and the accompanying materials are made available under the
	* terms of the Eclipse Public License v. 2.0 which is available at
	* http://www.eclipse.org/legal/epl-2.0,
	* or the Eclipse Distribution License v. 1.0 which is available at
	* http://www.eclipse.org/org/documents/edl-v10.php.
	*
	* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
	*/

	// Contributors:
	// Oracle - initial API and implementation
	package org.eclipse.persistence.internal.helper;

	import javax.xml.XMLConstants;
	import javax.xml.parsers.DocumentBuilderFactory;
	import javax.xml.parsers.ParserConfigurationException;
	import javax.xml.parsers.SAXParserFactory;
	import javax.xml.transform.TransformerConfigurationException;
	import javax.xml.transform.TransformerFactory;
	import javax.xml.validation.SchemaFactory;
	import javax.xml.xpath.XPathFactory;
	import javax.xml.xpath.XPathFactoryConfigurationException;

	import org.eclipse.persistence.internal.oxm.OXMSystemProperties;
	import org.eclipse.persistence.internal.oxm.record.XMLReader;
	import org.eclipse.persistence.internal.security.PrivilegedAccessHelper;
	import org.eclipse.persistence.logging.AbstractSessionLog;
	import org.eclipse.persistence.logging.SessionLog;
	import org.xml.sax.SAXException;
	import org.xml.sax.SAXNotRecognizedException;
	import org.xml.sax.SAXNotSupportedException;

	public class XMLHelper {

	// LJ - does not cache logger to allow its dynamic reconfiguration

	// not in older JDK, so must be duplicated here, otherwise javax.xml.XMLConstants should be used
	public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
	public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";

	private static final String PROP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
	private static final String PROP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";

	/**
	* If true XML security features when parsing XML documents will be disabled.
	* The default value is false.
	*
	* Boolean
	* @since 2.6.3
	*/
	private static final boolean XML_SECURITY_DISABLED = PrivilegedAccessHelper.getSystemPropertyBoolean(OXMSystemProperties.DISABLE_SECURE_PROCESSING, false);

	private static boolean isXMLSecurityDisabled(boolean runtimeSetting) {
	return XML_SECURITY_DISABLED \|\| runtimeSetting;
	}

	/**
	* Returns properly configured (e.g. security features) schema factory
	* - namespaceAware == true
	* - securityProcessing == is set based on security processing property, default is true
	*/
	public static SchemaFactory createSchemaFactory(final String language, boolean disableSecureProcessing) throws IllegalStateException {
	SessionLog logger = AbstractSessionLog.getLog();
	try {
	SchemaFactory factory = SchemaFactory.newInstance(language);

	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "schema_factory", new Object[] {factory});
	}
	factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
	return factory;
	} catch (SAXNotRecognizedException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException(ex);
	} catch (SAXNotSupportedException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException(ex);
	} catch (AbstractMethodError er) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
	throw new IllegalStateException(er);
	}
	}

	/**
	* Returns properly configured (e.g. security features) parser factory
	* - namespaceAware == true
	* - securityProcessing == is set based on security processing property, default is true
	*/
	public static SAXParserFactory createParserFactory(boolean disableSecureProcessing) throws IllegalStateException {
	SessionLog logger = AbstractSessionLog.getLog();
	try {
	SAXParserFactory factory = SAXParserFactory.newInstance();
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "saxparser_factory", new Object[] {factory});
	}
	factory.setNamespaceAware(true);
	factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
	return factory;
	} catch (ParserConfigurationException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException( ex);
	} catch (SAXNotRecognizedException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException( ex);
	} catch (SAXNotSupportedException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException( ex);
	} catch (AbstractMethodError er) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
	throw new IllegalStateException(er);
	}
	}

	/**
	* Returns properly configured (e.g. security features) factory
	* - securityProcessing == is set based on security processing property, default is true
	*/
	public static XPathFactory createXPathFactory(boolean disableSecureProcessing) throws IllegalStateException {
	SessionLog logger = AbstractSessionLog.getLog();
	try {
	XPathFactory factory = XPathFactory.newInstance();
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "xpath_factory", new Object[] {factory});
	}
	factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
	return factory;
	} catch (XPathFactoryConfigurationException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException( ex);
	} catch (AbstractMethodError er) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
	throw new IllegalStateException(er);
	}
	}

	/**
	* Returns properly configured (e.g. security features) factory
	* - securityProcessing == is set based on security processing property, default is true
	*/
	public static TransformerFactory createTransformerFactory(boolean disableSecureProcessing) throws IllegalStateException {
	SessionLog logger = AbstractSessionLog.getLog();
	try {
	TransformerFactory factory = TransformerFactory.newInstance();
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "transformer_factory", new Object[] {factory});
	}
	factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
	return factory;
	} catch (TransformerConfigurationException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException( ex);
	} catch (AbstractMethodError er) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
	throw new IllegalStateException(er);
	}
	}

	/**
	* Returns properly configured (e.g. security features) factory
	* - namespaceAware == true
	* - securityProcessing == is set based on security processing property, default is true
	*/
	public static DocumentBuilderFactory createDocumentBuilderFactory(boolean disableSecureProcessing) throws IllegalStateException {
	SessionLog logger = AbstractSessionLog.getLog();
	try {
	DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "documentbuilder_factory", new Object[] {factory});
	}
	factory.setNamespaceAware(true);
	factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !isXMLSecurityDisabled(disableSecureProcessing));
	return factory;
	} catch (ParserConfigurationException ex) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, ex);
	throw new IllegalStateException( ex);
	} catch (AbstractMethodError er) {
	logger.logThrowable(SessionLog.SEVERE, SessionLog.MOXY, er);
	throw new IllegalStateException(er);
	}
	}

	public static SchemaFactory allowExternalAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
	}
	return sf;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
	}
	return sf;
	}

	try {
	sf.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	}
	} catch (SAXException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return sf;
	}

	public static TransformerFactory allowExternalAccess(TransformerFactory tf, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
	}
	return tf;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
	}
	return tf;
	}

	try {
	tf.setAttribute(ACCESS_EXTERNAL_SCHEMA, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	}
	} catch (IllegalArgumentException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return tf;
	}

	public static DocumentBuilderFactory allowExternalAccess(DocumentBuilderFactory dbf, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
	}
	return dbf;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
	}
	return dbf;
	}

	try {
	dbf.setAttribute(ACCESS_EXTERNAL_SCHEMA, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	}
	} catch (IllegalArgumentException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return dbf;
	}

	public static XMLReader allowExternalAccess(XMLReader xmlReader, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"xsd"});
	}
	return xmlReader;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_SCHEMA) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"xsd"});
	}
	return xmlReader;
	}

	try {
	xmlReader.setProperty(ACCESS_EXTERNAL_SCHEMA, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	}
	} catch (SAXException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_SCHEMA});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return xmlReader;
	}

	public static SchemaFactory allowExternalDTDAccess(SchemaFactory sf, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
	}
	return sf;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
	}
	return sf;
	}

	try {
	sf.setProperty(ACCESS_EXTERNAL_DTD, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
	}
	} catch (SAXException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return sf;
	}

	public static DocumentBuilderFactory allowExternalDTDAccess(DocumentBuilderFactory dbf, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
	}
	return dbf;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
	}
	return dbf;
	}

	try {
	dbf.setAttribute(ACCESS_EXTERNAL_DTD, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
	}
	} catch (IllegalArgumentException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return dbf;
	}

	public static XMLReader allowExternalDTDAccess(XMLReader xmlReader, String value, boolean disableSecureProcessing) {
	SessionLog logger = AbstractSessionLog.getLog();
	// if xml security (feature secure processing) disabled, nothing to do, no restrictions applied
	if (isXMLSecurityDisabled(disableSecureProcessing)) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_disabled", new Object[] {"DTD"});
	}
	return xmlReader;
	}

	if (PrivilegedAccessHelper.getSystemProperty(PROP_ACCESS_EXTERNAL_DTD) != null) {
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_explicit", new Object[] {"DTD"});
	}
	return xmlReader;
	}

	try {
	xmlReader.setProperty(ACCESS_EXTERNAL_DTD, value);
	if (logger.shouldLog(SessionLog.FINE, SessionLog.MOXY)) {
	logger.log(SessionLog.FINE, SessionLog.MOXY, "jaxp_sec_prop_supported", new Object[] {ACCESS_EXTERNAL_DTD});
	}
	} catch (SAXException ignored) {
	// nothing to do; support depends on version JDK or SAX implementation
	if (logger.shouldLog(SessionLog.CONFIG, SessionLog.MOXY)) {
	logger.log(SessionLog.CONFIG, SessionLog.MOXY, "jaxp_sec_prop_not_supported", new Object[] {ACCESS_EXTERNAL_DTD});
	logger.logThrowable(SessionLog.CONFIG, SessionLog.MOXY, ignored);
	}
	}
	return xmlReader;
	}
	}