8353232: Standardizing and Unifying XML Component Configurations

src/java.xml/share/classes/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java

@@ -69,14 +69,15 @@
 import jdk.xml.internal.FeaturePropertyBase;
 import jdk.xml.internal.JdkConstants;
 import jdk.xml.internal.JdkProperty;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlFeatures;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.JdkProperty.ImplPropMap;
 import jdk.xml.internal.JdkProperty.State;
 import jdk.xml.internal.TransformErrorListener;
 import jdk.xml.internal.XMLSecurityManager;
-import jdk.xml.internal.XMLSecurityPropertyManager.Property;
 import jdk.xml.internal.XMLSecurityPropertyManager;
+import jdk.xml.internal.XMLSecurityPropertyManager.Property;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLFilter;
@@ -87,7 +88,7 @@
  * @author G. Todd Miller
  * @author Morten Jorgensen
  * @author Santiago Pericas-Geertsen
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class TransformerFactoryImpl
     extends SAXTransformerFactory implements SourceLoader
@@ -265,17 +266,18 @@ public PIParamWrapper(String media, String title, String charset) {
      * javax.xml.transform.sax.TransformerFactory implementation.
      */
     public TransformerFactoryImpl() {
-        _xmlFeatures = new JdkXmlFeatures(!_isNotSecureProcessing);
+        JdkXmlConfig config = JdkXmlConfig.getInstance(false);
+        // security (property) managers updated with current system properties
+        _xmlSecurityManager = config.getXMLSecurityManager(true);
+        _xmlSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
+        _xmlFeatures = config.getXMLFeatures(true);
         _overrideDefaultParser = _xmlFeatures.getFeature(
                 JdkXmlFeatures.XmlFeature.JDK_OVERRIDE_PARSER);
-        _xmlSecurityPropertyMgr = new XMLSecurityPropertyManager();
         _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
                 Property.ACCESS_EXTERNAL_DTD);
         _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
                 Property.ACCESS_EXTERNAL_STYLESHEET);
 
-        //Parser's security manager
-        _xmlSecurityManager = new XMLSecurityManager(true);
         //Unmodifiable hash map with loaded external extension functions
         _xsltcExtensionFunctions = null;
         _extensionClassLoader = new JdkProperty<>(ImplPropMap.EXTCLSLOADER,

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java

@@ -53,6 +53,7 @@
 import javax.xml.XMLConstants;
 import javax.xml.catalog.CatalogFeatures;
 import jdk.xml.internal.JdkConstants;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.XMLSecurityManager;
 import jdk.xml.internal.XMLSecurityPropertyManager;
@@ -71,7 +72,7 @@
  *
  * @author Elena Litani, IBM
  * @author Neeraj Bajaj, Sun Microsystems.
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class DOMConfigurationImpl extends ParserConfigurationSettings
     implements XMLParserConfiguration, DOMConfiguration {
@@ -414,10 +415,10 @@ protected DOMConfigurationImpl(SymbolTable symbolTable,
         fValidationManager = createValidationManager();
         setProperty(VALIDATION_MANAGER, fValidationManager);
 
-        setProperty(SECURITY_MANAGER, new XMLSecurityManager(true));
+        setProperty(SECURITY_MANAGER, JdkXmlConfig.getInstance(false).getXMLSecurityManager(false));
 
         setProperty(JdkConstants.XML_SECURITY_PROPERTY_MANAGER,
-                new XMLSecurityPropertyManager());
+                JdkXmlConfig.getInstance(false).getXMLSecurityPropertyManager(false));
 
         // add message formatters
         if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/impl/PropertyManager.java

@@ -31,6 +31,7 @@
 import javax.xml.stream.XMLOutputFactory;
 import javax.xml.stream.XMLResolver;
 import jdk.xml.internal.JdkConstants;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.XMLSecurityManager;
 import jdk.xml.internal.XMLSecurityPropertyManager;
@@ -44,7 +45,7 @@
  * @author K Venugopal
  * @author Sunitha Reddy
  *
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class PropertyManager {
 
@@ -66,6 +67,7 @@ public class PropertyManager {
 
     HashMap<String, Object> supportedProps = new HashMap<>();
 
+    JdkXmlConfig config = JdkXmlConfig.getInstance(true);
     private XMLSecurityManager fSecurityManager;
     private XMLSecurityPropertyManager fSecurityPropertyMgr;
 
@@ -141,9 +143,9 @@ private void initConfigurableReaderProperties() {
         supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, false);
         supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, false);
 
-        fSecurityManager = new XMLSecurityManager(true);
+        fSecurityManager = config.getXMLSecurityManager(true);
+        fSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
         supportedProps.put(SECURITY_MANAGER, fSecurityManager);
-        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
         supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
 
         // Initialize Catalog features
@@ -232,7 +234,7 @@ public void setProperty(String property, Object value) {
         }
         if (property.equals(JdkConstants.XML_SECURITY_PROPERTY_MANAGER)) {
             if (value == null) {
-                fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+                fSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
             } else {
                 fSecurityPropertyMgr = (XMLSecurityPropertyManager) value;
             }

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java

@@ -49,15 +49,14 @@
 import java.util.StringTokenizer;
 import javax.xml.XMLConstants;
 import javax.xml.catalog.CatalogException;
-import javax.xml.catalog.CatalogFeatures.Feature;
 import javax.xml.catalog.CatalogFeatures;
 import javax.xml.catalog.CatalogManager;
 import javax.xml.catalog.CatalogResolver;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.transform.Source;
-import jdk.xml.internal.JdkCatalog;
 import jdk.xml.internal.JdkConstants;
 import jdk.xml.internal.JdkProperty;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.SecuritySupport;
 import jdk.xml.internal.XMLLimitAnalyzer;
@@ -94,7 +93,7 @@
  * @author K.Venugopal SUN Microsystems
  * @author Neeraj Bajaj SUN Microsystems
  * @author Sunitha Reddy SUN Microsystems
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
 
@@ -436,7 +435,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
      * If this constructor is used to create the object, reset() should be invoked on this object
      */
     public XMLEntityManager() {
-        this(null, new XMLSecurityManager(true));
+        this(null, JdkXmlConfig.getInstance(false).getXMLSecurityManager(false));
     }
 
     public XMLEntityManager(XMLSecurityPropertyManager securityPropertyMgr, XMLSecurityManager securityManager) {
@@ -1055,7 +1054,7 @@ public StaxXMLInputSource resolveEntityAsPerStax(XMLResourceIdentifier resourceI
                 && JdkXmlUtils.isResolveContinue(fCatalogFeatures)) {
             initJdkCatalogResolver();
 
-            staxInputSource = resolveWithCatalogStAX(fDefCR, JdkCatalog.JDKCATALOG, publicId, literalSystemId);
+            staxInputSource = resolveWithCatalogStAX(fDefCR, JdkXmlConfig.JDKCATALOG_FILE, publicId, literalSystemId);
         }
 
         // Step 4: default resolution if not resolved by a resolver and the RESOLVE
@@ -1697,7 +1696,7 @@ public void reset(XMLComponentManager componentManager)
         // JAXP 1.5 feature
         XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
         if (spm == null) {
-            spm = new XMLSecurityPropertyManager();
+            spm = JdkXmlConfig.getInstance(false).getXMLSecurityPropertyManager(false);
         }
         fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
 

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java

@@ -74,6 +74,7 @@
 import java.util.WeakHashMap;
 import javax.xml.XMLConstants;
 import jdk.xml.internal.JdkConstants;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.XMLSecurityManager;
 import jdk.xml.internal.XMLSecurityPropertyManager;
@@ -102,7 +103,7 @@
  * @xerces.internal
  *
  * @author Neil Graham, IBM
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 
 public class XMLSchemaLoader implements XMLGrammarLoader, XMLComponent, XSElementDeclHelper,
@@ -1001,13 +1002,13 @@ public void reset(XMLComponentManager componentManager) throws XMLConfigurationE
 
         XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
         if (spm == null) {
-            spm = new XMLSecurityPropertyManager();
+            spm = JdkXmlConfig.getInstance(false).getXMLSecurityPropertyManager(false);
             setProperty(XML_SECURITY_PROPERTY_MANAGER, spm);
         }
 
         XMLSecurityManager sm = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
         if (sm == null)
-            setProperty(SECURITY_MANAGER,new XMLSecurityManager(true));
+            setProperty(SECURITY_MANAGER, JdkXmlConfig.getInstance(false).getXMLSecurityManager(false));
 
         faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
 

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java

@@ -105,6 +105,7 @@
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.XMLStreamReader;
 import jdk.xml.internal.JdkConstants;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.SecuritySupport;
 import jdk.xml.internal.XMLSecurityManager;
@@ -131,7 +132,7 @@
  * @author Neil Graham, IBM
  * @author Pavani Mukthipudi, Sun Microsystems
  *
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class XSDHandler {
 
@@ -735,7 +736,8 @@ private void createAnnotationValidator() {
         fAnnotationValidator.setFeature(XMLSCHEMA_VALIDATION, true);
         fAnnotationValidator.setProperty(XMLGRAMMAR_POOL, fGrammarBucketAdapter);
         /** set security manager and XML Security Property Manager **/
-        fAnnotationValidator.setProperty(SECURITY_MANAGER, (fSecurityManager != null) ? fSecurityManager : new XMLSecurityManager(true));
+        fAnnotationValidator.setProperty(SECURITY_MANAGER,
+                (fSecurityManager != null) ? fSecurityManager : JdkXmlConfig.getInstance(false).getXMLSecurityManager(false));
         fAnnotationValidator.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
         /** Set error handler. **/
         fAnnotationValidator.setProperty(ERROR_HANDLER, (fErrorHandler != null) ? fErrorHandler : new DefaultErrorHandler());

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderFactoryImpl.java

@@ -29,6 +29,8 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.validation.Schema;
+
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.XMLSecurityManager;
 import jdk.xml.internal.XMLSecurityPropertyManager;
@@ -39,7 +41,7 @@
 /**
  * @author Rajiv Mordani
  * @author Edwin Goei
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     /** These are DocumentBuilderFactory attributes not DOM attributes */
@@ -54,8 +56,15 @@ public class DocumentBuilderFactoryImpl extends DocumentBuilderFactory {
     private boolean fSecureProcess = true;
 
     // used to verify attributes
-    XMLSecurityManager fSecurityManager = new XMLSecurityManager(true);
-    XMLSecurityPropertyManager fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+    XMLSecurityManager fSecurityManager;
+    XMLSecurityPropertyManager fSecurityPropertyMgr;
+
+    public DocumentBuilderFactoryImpl() {
+        JdkXmlConfig config = JdkXmlConfig.getInstance(false);
+        // security (property) managers updated with current system properties
+        fSecurityManager = config.getXMLSecurityManager(true);
+        fSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
+    }
 
     /**
      * Creates a new instance of a {@link javax.xml.parsers.DocumentBuilder}

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java

@@ -59,7 +59,7 @@
 /**
  * @author Rajiv Mordani
  * @author Edwin Goei
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class DocumentBuilderImpl extends DocumentBuilder
         implements JAXPConstants
@@ -140,7 +140,7 @@ public class DocumentBuilderImpl extends DocumentBuilder
     {
         domParser = new DOMParser();
 
-        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+        fSecurityPropertyMgr = dbf.fSecurityPropertyMgr;
         domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
 
         fSecurityManager = dbf.fSecurityManager;

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/SAXParserFactoryImpl.java

@@ -28,6 +28,7 @@
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.validation.Schema;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.XMLSecurityManager;
 import jdk.xml.internal.XMLSecurityPropertyManager;
 import org.xml.sax.SAXException;
@@ -42,7 +43,7 @@
  * @author Rajiv Mordani
  * @author Edwin Goei
  *
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 public class SAXParserFactoryImpl extends SAXParserFactory {
 
@@ -68,8 +69,14 @@ public class SAXParserFactoryImpl extends SAXParserFactory {
     private boolean fSecureProcess = true;
 
     // Security Managers
-    XMLSecurityManager fSecurityManager = new XMLSecurityManager(true);
-    XMLSecurityPropertyManager fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+    XMLSecurityManager fSecurityManager;
+    XMLSecurityPropertyManager fSecurityPropertyMgr;
+
+    public SAXParserFactoryImpl() {
+        JdkXmlConfig config = JdkXmlConfig.getInstance(false);
+        fSecurityManager = config.getXMLSecurityManager(true);
+        fSecurityPropertyMgr = config.getXMLSecurityPropertyManager(true);
+    }
 
     /**
      * Creates a new instance of <code>SAXParser</code> using the currently

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java

@@ -43,6 +43,7 @@
 import javax.xml.validation.Schema;
 import jdk.xml.internal.FeaturePropertyBase;
 import jdk.xml.internal.JdkConstants;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.JdkXmlUtils;
 import jdk.xml.internal.XMLSecurityManager;
 import jdk.xml.internal.XMLSecurityPropertyManager;
@@ -64,7 +65,7 @@
  * @author Rajiv Mordani
  * @author Edwin Goei
  *
- * @LastModified: Apr 2025
+ * @LastModified: May 2025
  */
 @SuppressWarnings("deprecation")
 public class SAXParserImpl extends javax.xml.parsers.SAXParser
@@ -412,7 +413,7 @@ public JAXPSAXParser() {
              * it is null.
              */
             if (fSecurityManager == null) {
-                fSecurityManager = new XMLSecurityManager(true);
+                fSecurityManager = JdkXmlConfig.getInstance(false).getXMLSecurityManager(false);
             }
             try {
                 super.setProperty(SECURITY_MANAGER, fSecurityManager);
@@ -423,7 +424,7 @@ public JAXPSAXParser() {
             }
 
             if (fSecurityPropertyMgr == null) {
-                fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+                fSecurityPropertyMgr = JdkXmlConfig.getInstance(false).getXMLSecurityPropertyManager(false);
             }
             try {
                 super.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);

src/java.xml/share/classes/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2025, Oracle and/or its affiliates. All rights reserved.
  */
  /*
  * Licensed to the Apache Software Foundation (ASF) under one or more
@@ -23,6 +23,7 @@
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
 import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
 import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
+import jdk.xml.internal.JdkXmlConfig;
 import jdk.xml.internal.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
@@ -49,7 +50,7 @@
  *
  * @author Michael Glavassevich, IBM
  * @author Sunitha Reddy
- * @LastModified: July 2023
+ * @LastModified: May 2025
  */
 final class StreamValidatorHelper implements ValidatorHelper {
 
@@ -190,7 +191,7 @@ else if (fComponentManager.getFeature(PARSER_SETTINGS)) {
     private XMLParserConfiguration initialize() {
         XML11Configuration config = new XML11Configuration();
         if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
-            config.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
+            config.setProperty(SECURITY_MANAGER, JdkXmlConfig.getInstance(false).getXMLSecurityManager(false));
         }
         config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
         config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));