Documentation

Scope and Order
Trail: Java API for XML Processing (JAXP)
Lesson: JAXP 1.5 and New Properties

Scope and Order

javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING (FSP) is a required feature for XML processors including DOM, SAX, Schema Validation, XSLT and XPath. When set to true, it is recommended that implementations enable access restrictions as defined by the new properties specified above. For compatibility, JAXP 1.5 does not enable the new restrictions, although FSP is true by default for DOM, SAX and Schema Validation.

For JDK 8, the new accessExternal* properties are proposed to be set to the empty string when FSP is explicitly set. This is only the case when FSP is set through the API, e.g. factory.setFeature(FSP, true). Although FSP is true by default for DOM, SAX and Schema Validation it is not treated as if "explicitly" set, JDK 8 therefore does not set restrictions by default.

Properties specified in the jaxp.properties file affect all invocations of the JDK or JRE, and will override their default values, or those that may have been set by FEATURE_SECURE_PROCESSING.

System properties, when set, will affect one invocation only, and will override the default settings or those set in jaxp.properties, or those that may have been set by FEATURE_SECURE_PROCESSING.

JAXP properties specified through JAXP factories or SAXParser take preference over system properties, the jaxp.properties file, as well as javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING.

The new JAXP properties have no effect on the relevant constructs they attempt to restrict in the following situations:


Previous page: New Properties
Next page: Relationship with the SecurityManager