jboss · ronsigal · Jan 9, 2016
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@
 /out.xml
 /target
 *.iml
+/bin/
diff --git a/docbook/pom.xml b/docbook/pom.xml
@@ -0,0 +1,108 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>xerces</groupId>
+    <artifactId>secure-configuration-guide</artifactId>
+    <version>2.11.0.SP5-SNAPSHOT</version>
+    <packaging>jdocbook</packaging>
+
+    <name>Xerces Secure Configuration Guide</name>
+    <description>
+       Discusses the implementation of the SECURE PROCESSING FEATURE introduced in JAXP.
+    </description>
+    <url>http://xerces.apache.org/xerces2-j</url>
+    <inceptionYear>2005</inceptionYear>
+    <organization>
+      <name>Apache Software Foundation</name>
+      <url>http://www.apache.org/</url>
+    </organization>
+    <licenses>
+      <license>
+        <name>The Apache Software License, Version 2.0</name>
+        <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+        <distribution>repo</distribution>
+      </license>
+    </licenses>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.jboss.maven.plugins</groupId>
+                <artifactId>maven-jdocbook-plugin</artifactId>
+                <version>2.3.8</version>
+                <extensions>true</extensions>
+
+                <dependencies>
+                    <dependency>
+                        <groupId>org.jboss.pressgang</groupId>
+                        <artifactId>pressgang-xslt-ns</artifactId>
+                        <version>2.0.2</version>
+                    </dependency>
+                    <dependency>
+                        <groupId>org.jboss.pressgang</groupId>
+                        <artifactId>pressgang-jdocbook-style</artifactId>
+                        <type>jdocbook-style</type>
+                        <version>2.0.2</version>
+                    </dependency>
+                </dependencies>
+
+                <configuration>
+                    <sourceDocumentName>master.xml</sourceDocumentName>
+                    <masterTranslation>en-US</masterTranslation>
+                    <sourceDirectory>reference/en</sourceDirectory>
+                    <imageResource>
+                        <directory>reference/en</directory>
+                        <includes>
+                            <include>images/*</include>
+                        </includes>
+                    </imageResource>
+                    <formats>
+                        <format>
+                            <formatName>html_single</formatName>
+                            <stylesheetResource>classpath:/xslt/org/jboss/xhtml-single.xsl</stylesheetResource>
+                            <finalName>index.html</finalName>
+                            <!-- <profilingTypeName>two_pass</profilingTypeName> -->
+                        </format>
+                        <format>
+                            <formatName>html</formatName>
+                            <stylesheetResource>classpath:/xslt/org/jboss/xhtml.xsl</stylesheetResource>
+                            <finalName>index.html</finalName>
+                            <!-- <profilingTypeName>two_pass</profilingTypeName> -->
+                        </format>
+                        <format>
+                            <formatName>pdf</formatName>
+                            <stylesheetResource>classpath:/xslt/org/jboss/pdf.xsl</stylesheetResource>
+                            <finalName>${project.artifactId}.pdf</finalName>
+                        </format>
+                        <!--<format>-->
+                        <!--<formatName>eclipse</formatName>-->
+                        <!--<stylesheetResource>classpath:/xslt/org/jboss/eclipse.xsl</stylesheetResource>-->
+                        <!--<finalName>${project.artifactId}.html</finalName>-->
+                        <!--</format>-->
+                    </formats>
+                    <injections>
+                        <injection>
+                            <name>project.version</name>
+                            <value>${project.version}</value>
+                        </injection>
+                    </injections>
+                    <options>
+                        <xmlTransformerType>saxon</xmlTransformerType>
+                        <xincludeSupported>true</xincludeSupported>
+                        <useRelativeImageUris>true</useRelativeImageUris>
+                        <!-- TODO Probably obsolete after the upgrade to maven-jdocbook-plugin 2.3.0 -->
+                        <docbookVersion>1.72.0</docbookVersion>
+                        <!-- <localeSeparator>-</localeSeparator> -->
+                    </options>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <properties>
+        <translation>en-US</translation>
+    </properties>
+</project>
diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml
@@ -0,0 +1,25 @@
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+                         "http://www.docbook.org/xml/4.4/docbookx.dtd"
+        [
+         <!ENTITY Introduction  SYSTEM "modules/Introduction.xml">
+         <!ENTITY Features      SYSTEM "modules/Features.xml">
+         <!ENTITY Properties    SYSTEM "modules/Properties.xml">
+         <!ENTITY Compatibility SYSTEM "modules/Compatibility.xml">
+        ]>
+
+<article>
+
+   <articleinfo>
+      <title>Xerces: Secure Processing Configuration</title>
+      <releaseinfo>2.11.0.SP5</releaseinfo>
+   </articleinfo>
+
+   <!--toc/-->
+
+   &Introduction;
+   &Features;
+   &Properties;
+   &Compatibility;
+
+</article>
+
diff --git a/docbook/reference/en/en-US/modules/Compatibility.xml b/docbook/reference/en/en-US/modules/Compatibility.xml
@@ -0,0 +1,61 @@
+<section id="Compatibility">
+<title>Compatibility with Wildfly</title>
+
+As noted in the <link linkend="Introduction">Introduction</link>, the increased
+security imposed by the SECURE_PROCESSING_FEATURE might require additional
+configuration. We examine two different versions of Wildfly to determine if
+changes are necessary.
+
+<section id="wf8.2.1.Final">
+<title>Wildfly 8.2.1.Final</title>
+<para>
+  In Wildfly 8.2.1.Final, the following changes are necessary for the basic integration
+  testsuite to pass.
+</para>
+
+<itemizedlist>
+  <listitem>
+    <emphasis role="bold">hibernate-core</emphasis>: 
+    <para><classname>org.hibernate.cfg.Configuration</classname> needs additional configuration of a
+    <classname>SAXReader</classname>.</para>
+  </listitem>
+  <listitem>
+    <emphasis role="bold">jsf-impl</emphasis>:
+    <para><classname>com.sun.faces.facelets.compiler.SAXCompiler</classname> needs additional configuration
+    of a <classname>SAXParserFactory</classname>.</para>
+  </listitem>
+  <listitem>
+    <emphasis role="bold">picketbox</emphasis>: 
+    <para><classname>org.jboss.security.util.xml.DOMUtils</classname> needs additional configuration
+    of a <classname>DocumentBuilderFactory</classname>.</para>
+  </listitem>
+  <listitem>
+    <emphasis role="bold">wildfly-core-impl</emphasis>:
+    <para><classname>org.jboss.weld.xml.BeansXmlParser</classname> needs additional configuration of a
+    <classname>SAXParserFactory</classname>.</para>
+  </listitem>
+</itemizedlist>
+
+<para>
+  The particular changes vary from case to case, but they generally involve
+</para>
+
+<itemizedlist>
+  <listitem>http://apache.org/xml/features/disallow-doctype-decl</listitem>
+  <listitem>http://apache.org/xml/features/nonvalidating/load-external-dtd</listitem>
+  <listitem>http://javax.xml.XMLConstants/property/accessExternalDTD</listitem>
+  <listitem>http://javax.xml.XMLConstants/property/accessExternalSchema</listitem>
+</itemizedlist>
+
+</section>
+
+<section id="wf-10.0.0.CR4">
+<title>Wildfly 10.0.0.CR4</title>
+
+<para>
+The entire testsuites of Wildfly 10.0.0.CR4 and EAP 7 10.0.0.CR6-redhat-SNAPSHOT run without any changes.
+</para>
+
+</section>
+
+</section>
diff --git a/docbook/reference/en/en-US/modules/Features.xml b/docbook/reference/en/en-US/modules/Features.xml
@@ -0,0 +1,92 @@
+<section id="Features">
+<title>Features</title>
+
+<para>
+  Everything begins with <emphasis role="bold">SECURE_PROCESSING_FEATURE</emphasis>
+  (http://javax.xml.XMLConstants/feature/secure-processing). It is defined in the JAXP specification,
+  and all JAXP conformant software is required to support it. When it is set to true, all of the other
+  features and properties described here are assigned default values that promote security. When it is
+  set to false, the other features and properties are ignored. Its default value is true.
+</para>
+
+<para>
+  In SAX, a feature may be set to true or false either by calling <methodname>SAXParserFactory.setFeature()</methodname>
+  or by calling <methodname>setFeature()</methodname> directly on the <classname>XMLReader</classname> retrieved
+  from the <classname>SAXParser</classname>.
+  In DOM, a feature may be set either by calling <methodname>DocumentBuilderFactory.setFeature()</methodname> or
+  by calling <methodname>setFeature()</methodname> directly on the <classname>DOMParser</classname> retrieved
+  from the <classname>DocumentBuilder</classname>.
+</para>
+
+<para>
+  The following security features are supported. The default values given assume that SECURE_PROCESSING_FEATURE
+  is set to true.
+</para>
+
+<para>
+  <emphasis role="bold">DISALLOW_DOCTYPE_DECL_FEATURE</emphasis>
+  <itemizedlist>
+  <listitem>
+    <emphasis role="bold">parser/factory feature</emphasis>: http://apache.org/xml/features/disallow-doctype-decl
+  </listitem>
+  <listitem>
+    <emphasis role="bold">definition:</emphasis>  Setting this property to true outlaws all DTDs, internal or external.
+    Setting it to false permits the parser to use DTDs.
+  </listitem>
+  <listitem>
+    <emphasis role="bold">default</emphasis>: true
+  </listitem>
+</itemizedlist>
+</para>
+
+<para>
+  <emphasis role="bold">EXTERNAL_GENERAL_ENTITIES_FEATURE</emphasis>
+  <itemizedlist>
+  <listitem>
+    <emphasis role="bold">parser/factory feature</emphasis>: http://xml.org/sax/features/external-general-entities
+  </listitem>
+  <listitem>
+    <emphasis role="bold">definition:</emphasis> Setting this property to true allows the parser to load external
+    general entities, and setting it to false prevents the parser from doing so. 
+  </listitem>
+  <listitem>
+    <emphasis role="bold">default</emphasis>: false
+  </listitem>
+</itemizedlist>
+</para>
+
+<para>
+  <emphasis role="bold">EXTERNAL_PARAMETER_ENTITIES_FEATURE</emphasis>
+  <itemizedlist>
+  <listitem>
+    <emphasis role="bold">parser/factory feature</emphasis>: http://xml.org/sax/features/external-parameter-entities
+  </listitem>
+  <listitem>
+    <emphasis role="bold">definition:</emphasis> Setting this property to true allows the parser to load external DTD
+    subsets referenced by external parameter entities, and  setting it to false prevents the parser from doing so. 
+  </listitem>
+  <listitem>
+    <emphasis role="bold">default</emphasis>: false
+  </listitem>
+</itemizedlist>
+</para>
+
+<para>
+  <emphasis role="bold">LOAD_EXTERNAL_DTD_FEATURE</emphasis>
+  <itemizedlist>
+  <listitem>
+    <emphasis role="bold">parser/factory feature</emphasis>: http://apache.org/xml/features/nonvalidating/load-external-dtd
+  </listitem>
+  <listitem>
+    <emphasis role="bold">definition:</emphasis> Setting this property to true allows the parser to load external DTDs, and
+    setting it to false prevents the parser from doing so. <emphasis role="bold">Note</emphasis>. This feature is relevant
+    only if the parser is configured not to do validation. If the parser is configured to do validation, external DTDs are
+    eligible to be loaded. See also <link linkend="access_external_dtd">ACCESS_EXTERNAL_DTD_PROPERTY</link>.
+  </listitem>
+  <listitem>
+    <emphasis role="bold">default</emphasis>: false
+  </listitem>
+</itemizedlist>
+</para>
+
+</section>
diff --git a/docbook/reference/en/en-US/modules/Introduction.xml b/docbook/reference/en/en-US/modules/Introduction.xml
@@ -0,0 +1,51 @@
+<section id="Introduction">
+<title>Introduction</title>
+
+<para>
+Xerces, like all XML parsers, is vulnerable to a variety of Denial of Service attacks, such as
+XXE (XML External Entity) attacks, and a number of features and
+properties have been introduced over time to strengthen its defenses. These have various sources.
+</para>
+
+<itemizedlist>
+  <listitem>
+Some, such as SECURE_PROCESSING_FEATURE
+(http://javax.xml.XMLConstants/feature/secure-processing), were introduced in one of the series of JAXP
+specifications.  
+  </listitem>
+  <listitem>
+ Some, such as EXTERNAL_GENERAL_ENTITIES_FEATURE 
+(http://xml.org/sax/features/external-general-entities), were introduced in the de facto SAX standard.  
+  </listitem>
+  <listitem>
+Others, such as DISALLOW_DOCTYPE_DECL_FEATURE (http://apache.org/xml/features/disallow-doctype-decl), were
+introduced by Xerces.  
+  </listitem>
+  <listitem>
+And some, such as ACCESS_EXTERNAL_DTD_PROPERTY (http://javax.xml.XMLConstants/property/accessExternalDTD) and
+MAX_TOTAL_ENTITY_SIZE_LIMIT (http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit) were introduced in
+the Oracle reference implementation of JAXP.
+  </listitem>
+</itemizedlist>
+
+<para>
+As of release 2.11.0.SP5, the JBoss fork of Xerces implements all of the related security features and 
+properties found in Oracle JDK 1.8.0_11.
+</para>
+
+<para>
+  <emphasis role="bold">N.B.</emphasis> When Xerces is accessed by way of JAXP sanctioned classes
+  <classname>javax.xml.parsers.SAXParserFactory</classname> and
+  <classname>javax.xml.parsers.DocumentBuilderFactory</classname>, all of these features and properties
+  are assigned security promoting default values.
+</para>
+
+<para>
+  <emphasis role="bold">N.B.</emphasis> These features and properties have default values that incline
+  toward increased security. That means that it is possible for some currently working applications to fail
+  in the presence of a Xerces upgrade. For example, the default value of DISALLOW_DOCTYPE_DECL_FEATURE is
+  true, which means that DTDs cannot be used. <emphasis role="bold">It follows that additional configuration
+  may be necessary to preserve the functionality of existing applications.</emphasis>
+</para>
+
+</section>
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,3 +3,4 @@ @@
     /out.xml
     /target
     *.iml
+    /bin/