Spotlight on GlassFish 4.1: #4 JAXP accessExternalSchema

'Spotlight on GlassFish 4.1' is a series of posts that highlights specific enhancements of the upcoming GlassFish 4.1 release. It could be a new feature, a fix, a behaviour change, a tip, etc.

#4 JAXP 1.5 accessExternalSchema

GlassFish 4.1 supports recent JDK versions (JDK 7 u65+ and JDK 8 u5+). Sometime, those newer JDKs might have some side effect as they bring new features too. 

For example, several properties have been introduced in JAXP 1.5 (JDK 7u40+ and JDK 8+). Properties which are used to set restrictions when JAXP is used to process untrusted XML contents. And by default, those restrictions are set!

GF 4.1 is configured to offer the behavior of GF 4.0 used with an older JAXP release (prior to JAXP 1.5), i.e. no restriction on schemas processing. So by default, a GF 4.1 domain.xml is configured with the following JVM option to allow all schemas to be processed: <jvm-options>-Djavax.xml.accessExternalSchema=all </jvm-options>
This configuration obviously assumes that your external XML content is trusted or at least sanitised by an XML firewall. This is applicable to JAXP 1.5 (and above).


is this really in glassfish 4.1, or is it in glassfish 4.0.1 ?

Posted by guest on August 11, 2014 at 09:28 AM PDT #

There won't be a GF 4.0.1 as we have decided GF 4.1 would make more sense (see It also means the early builds of GF 4.1 were called 4.0.1!
IIRC, the domain.xml change was made before we changed the version to 4.1. But anyway, what matters is the final version : 4.1.

Posted by David Delabassee on August 11, 2014 at 09:48 AM PDT #

Post a Comment:
Comments are closed for this entry.