New Properties

JAXP 1.5 defines three new properties that can be used to regulate whether or not XML processors resolve external resources as listed above. The properties are:

  • javax\.xml\.XMLConstants\.ACCESS_EXTERNAL_DTD

  • javax\.xml\.XMLConstants\.ACCESS_EXTERNAL_SCHEMA

  • javax\.xml\.XMLConstants\.ACCESS_EXTERNAL_STYLESHEET

These API properties have corresponding system properties and jaxp.properties.

ACCESS_EXTERNAL_DTD

Name : http://javax\.xml\.XMLConstants/property/accessExternalDTD
Definition : Restrict access to external DTDs, external Entity References to the protocols specified.
Value : see Values of the Properties
Default value : all , connection permitted to all protocols.
System property : javax\.xml\.accessExternalDTD

ACCESS_EXTERNAL_SCHEMA

Name : http://javax\.xml\.XMLConstants/property/accessExternalSchema
Definition : restrict access to the protocols specified for external reference set by the schemaLocation attribute, Import and Include element.
Value : see Values of the Properties
Default value : all , connection permitted to all protocols.
System property : javax\.xml\.accessExternalSchema

ACCESS_EXTERNAL_STYLESHEET

Name : http://javax\.xml\.XMLConstants/property/accessExternalStylesheet
Definition : restrict access to the protocols specified for external reference set by the stylesheet processing instruction, document function, Import and Include element.
Value : see Values of the Properties
Default value : all , connection permitted to all protocols.
System property : javax\.xml\.accessExternalStylesheet

${java.home}/lib/jaxp.properties

These properties can be specified in jaxp\.properties to define the behavior for all applications using the Java Runtime. The format is property\-name=\[value\]\[,value\]\* . For example:

javax.xml.accessExternalDTD=file,http

The property names are the same as those of the system properties: javax\.xml\.accessExternalDTD , javax\.xml\.accessExternalSchema , and javax\.xml\.accessExternalStylesheet .

Values of the Properties

All of the properties have values in the same format.

Value : a list of protocols separated by comma. A protocol is the scheme portion of an URI, or in the case of the JAR protocol, "jar" plus the scheme portion separated by colon. A scheme is defined as:

scheme = alpha \*\( alpha \| digit \| "+" \| "\-" \| "\." \)
where alpha = a-z and A-Z.

And the JAR protocol:
jar\[:scheme\]

Protocols are case-insensitive. Any whitespaces as defined by Character\.isSpaceChar in the value will be ignored. Examples of protocols are file , http , jar:file .

Default value : the default value is implementation specific. In JAXP 1.5 RI, Java SE 7u40, and Java SE 8, the default value is all , granting permissions to all protocols.

Granting all access : the keyword all grants permission to all protocols. For example, setting javax\.xml\.accessExternalDTD=all in jaxp\.properties would allow a system to work as before with no restrictions on accessing external DTDs and Entity References.

Denying any access : an empty string, that is, "", means no permission is granted to any protocol. For example, setting javax\.xml\.accessExternalDTD="" in jaxp\.properties would instruct the JAXP processors to deny any external connections.