Hello i am trying to implement XML transformation using XSLT(v1) in a secure manner. I am working on a Java EE 7 environment, using Wildfly 10 and an Oracle JDK 8(1.8.0_151). In order to customize the presentation of the xml to my needs i use an xsl stylesheet which references a method i created. The problem is that when i am setting security feature to TRUE i get the following exception: javax.xml.transform.TransformerException with message: Use of the extension function 'xalan://com.mycompany.mypkg.easyprint.helpers.MyClass:myMethod' is not allowed when the secure processing feature is set to true From the other posts i read, there is a feature that needs to be configured on the TransformerFactory so i set it.
TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tf.setFeature("http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions", true);
However, when i run my application i get the following exception: javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions' on this TransformerFactory.
Any suggestions?
If you trust the stylesheet enough to allow calls on external Java functions, then you trust it enough that you don't need to set the SECURE_PROCESSING feature.
However, if you have no choice but to set the SECURE_PROCESSING feature, you could use the Saxon option that allows the stylesheet to call Java extensions that have been pre-registered through the processor API. This allows the stylesheet to call only those extensions that the application has explicitly authorised. This is done using the s9api API call Processor.registerExtensionFunction() and the Java extension must be written to this Saxon interface.