GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Use OpenSAML ParserPool Defaults 

Originally, Spring Security turned off various features
XML parsing feature for the underlying DocumentBuilderFactory
that OpenSAML uses.

Both OpenSAML 4 and 5 set these values by default, so we
can safely accept the defaults at this point.

Issue gh-11658
pull/15531/head
Josh Cummings 1 year ago
parent
bc8ba7f3b7
commit
ab842b74b9
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
1 changed files with 0 additions and 27 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 27
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java

27
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java
Unescape View File

@ -16,20 +16,14 @@ @@ -16,20 +16,14 @@
package org.springframework.security.saml2.core;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Consumer;
import javax.xml.XMLConstants;
import net.shibboleth.utilities.java.support.xml.BasicParserPool;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.opensaml.core.config.ConfigurationService;
import org.opensaml.core.config.InitializationService;
import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
import org.springframework.security.saml2.Saml2Exception;
@ -124,16 +118,6 @@ public final class OpenSamlInitializationService { @@ -124,16 +118,6 @@ public final class OpenSamlInitializationService {
catch (Exception ex) {
throw new Saml2Exception(ex);
}
BasicParserPool parserPool = new BasicParserPool();
parserPool.setMaxPoolSize(50);
parserPool.setBuilderFeatures(getParserBuilderFeatures());
try {
parserPool.initialize();
}
catch (Exception ex) {
throw new Saml2Exception(ex);
}
XMLObjectProviderRegistrySupport.setParserPool(parserPool);
registryConsumer.accept(ConfigurationService.get(XMLObjectProviderRegistry.class));
log.debug("Initialized OpenSAML");
return true;
@ -142,15 +126,4 @@ public final class OpenSamlInitializationService { @@ -142,15 +126,4 @@ public final class OpenSamlInitializationService {
return false;
}
private static Map<String, Boolean> getParserBuilderFeatures() {
Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE);
parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
return parserBuilderFeatures;
}
}

Write Preview
Loading…
Cancel
Save