Schema validation issue when setting xml attributes to TransformerFactory in AbstractXmlConfigHelper.java

[mayurgithub]

Describe the bug
When setting xml attributes in AbstractXmlConfigHelper.java

        TransformerFactory transformerFactory = TransformerFactory.newInstance();
        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

we see an IllegalArgumentException thrown.

Expected behavior
If these attributes are set within a try catch block, it wouldn't block starting the server.
Or use transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

This is because in com/sun/org/apache/xalan/internal/xsltctrax/TransformerFactoryImpl.java:

if (value && XalanConstants.IS_JDK8_OR_ABOVE) {
    _xmlSecurityPropertyMgr.setValue(
         Property.ACCESS_EXTERNAL_DTD, 
         State.FSP, 
         XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP
    ); // ACCESS_EXTERNAL_DTD is disabled by setting to the default value
 }

Steps to reproduce:
While parsing the hazelcast.xml file this error is thrown.

Additional context

Common details that we're often interested in:

• Logs and stack traces, if available

java.lang.IllegalArgumentException: Not supported: http://javax.xml.XMLConstants/property/accessExternalDTD
       at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571)
       at com.hazelcast.config.AbstractXmlConfigHelper.schemaValidation(AbstractXmlConfigHelper.java:109)
       at com.hazelcast.config.XmlConfigBuilder.parseAndBuildConfig(XmlConfigBuilder.java:169)
       at com.hazelcast.config.XmlConfigBuilder.build(XmlConfigBuilder.java:151)
       at com.hazelcast.config.XmlConfigBuilder.build(XmlConfigBuilder.java:144)
       at com.hazelcast.config.Config.loadFromFile(Config.java:225)
       at com.hazelcast.config.Config.load(Config.java:208)
       at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:125)
       at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java:91)

• Hazelcast version -4.1
• xalan version (TransformerFactoryImpl) - 2.7.2
• Version of Java - 1.8
• Operating system - Windows 10

[vbekiaris]

@mayurgithub thanks for the issue report. This looks similar to #17839 which is fixed in 4.1.1 by #17868 - you will have to explicitly ignore failures during enabling XXE protection by setting system property hazelcast.ignoreXxeProtectionFailures to true (see here). Can you verify if your issue is fixed?

[mayurgithub]

Thanks for the quick response Vassilis. Adding that property helped get it beyond that error but it still fails to create an instance of Hazelcast and fails.

[vbekiaris]

Thanks for the update. Can you post what is the exception now?

[vbekiaris]

@mayurgithub I created a very simple project with Xalan 2.7.2 & Hazelcast 4.1 and I verified the original exception you posted. Once I upgraded hazelcast to 4.1.1 and added -Dhazelcast.ignoreXxeProtectionFailures=true to my java command, the exception goes away and Hazelcast starts properly. It would be great if you could verify this or post what is the failure in your use case.

[mayurgithub]

I added the property to hazelcast.xml

//	<property name="hazelcast.health.monitoring.level">OFF</property>
//	<property name="hazelcast.ignoreXxeProtectionFailures">true</property>

The error is shown below.

2020-12-23 00:17:19,787-0800 ERROR [com.xxx] [-] [] Cannot instantiate XXX
 java.lang.IllegalArgumentException: Not supported: http://javax.xml.XMLConstants/property/accessExternalDTD
	at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571)
	at com.hazelcast.config.AbstractXmlConfigHelper.schemaValidation(AbstractXmlConfigHelper.java:109)
	at com.hazelcast.config.XmlConfigBuilder.parseAndBuildConfig(XmlConfigBuilder.java:169)
	at com.hazelcast.config.XmlConfigBuilder.build(XmlConfigBuilder.java:151)
	at com.hazelcast.config.XmlConfigBuilder.build(XmlConfigBuilder.java:144)
	at com.hazelcast.config.Config.loadFromFile(Config.java:225)
	at com.hazelcast.config.Config.load(Config.java:208)
	at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:125)
	at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java:91)

[vbekiaris]

@mayurgithub I see. You need to set this as a system property, not a Hazelcast configuration property. So you can do this in two ways:

• add -Dhazelcast.ignoreXxeProtectionFailures=true to your java command line arguments, for example:
  java -Dhazelcast.ignoreXxeProtectionFailures=true -cp main.jar com.example.Main
• set it programmatically in your application before you start Hazelcast like this:

System.setProperty("hazelcast.ignoreXxeProtectionFailures", "true");
HazelcastInstance hz = Hazelcast.newHazelcastInstance();

[mayurgithub]

Thank for the clarification Vassilis. I added that property. I still see the same error though

2020-12-23 17:23:51,584-0800 ERROR [com.XXX.tk.service.XXX] [-] [] Cannot instantiate XXX
 java.lang.IllegalArgumentException: Not supported: http://javax.xml.XMLConstants/property/accessExternalDTD
	at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571)
	at com.hazelcast.config.AbstractXmlConfigHelper.schemaValidation(AbstractXmlConfigHelper.java:109)
	at com.hazelcast.config.XmlConfigBuilder.parseAndBuildConfig(XmlConfigBuilder.java:169)
	at com.hazelcast.config.XmlConfigBuilder.build(XmlConfigBuilder.java:151)
	at com.hazelcast.config.XmlConfigBuilder.build(XmlConfigBuilder.java:144)
	at com.hazelcast.config.Config.loadFromFile(Config.java:225)
	at com.hazelcast.config.Config.load(Config.java:208)
	at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java:125)
	at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java:91)

[mayurgithub]

Hi Vassilis,
The code below worked. I just had to pass in the config object to the hazelcast instance.

Config cfg = new Config();
cfg.setProperty("hazelcast.ignoreXxeProtectionFailures", "true");
HazelcastInstance instance = Hazelcast.newHazelcastInstance(cfg);

For some reason the System.setProperty didn't work for me.
Thanks for all your help!!!!!

[deepred-dev]

@mayurgithub I see. You need to set this as a system property, not a Hazelcast configuration property. So you can do this in two ways:

* add `-Dhazelcast.ignoreXxeProtectionFailures=true` to your `java` command line arguments, for example:
  `java -Dhazelcast.ignoreXxeProtectionFailures=true -cp main.jar com.example.Main`

* set it programmatically in your application before you start Hazelcast like this:

System.setProperty("hazelcast.ignoreXxeProtectionFailures", "true");
HazelcastInstance hz = Hazelcast.newHazelcastInstance();

The documentation is misleading:
"You can use system properties to configure some aspects of Hazelcast. You set these properties as name and value pairs through declarative configuration, programmatic configuration or JVM system property. Following are examples for each option."

And there is an example how to set system properties declarative, as mayurgithub tried to do:
https://docs.hazelcast.com/imdg/4.1/configuration/configuring-with-system-properties.html