You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@karaf.apache.org by John Taylor <jt...@gmail.com> on 2019/01/04 23:44:53 UTC

Karaf 4.2.2 blueprint install with Saxon bundle

Hi All,

I use Karaf as a runtime to host my Apache Camel routes. They are
mostly plain blueprint .xmls that are installed and deployed with the
blueprint handler.  I make heavy use of xsl tranformations and have in
the past used Xalan but am moving to Saxon for xslt/xpath 2.0.

On 4.2.1 I don't have any issues installing and using either Xalan or
Saxon bundles, but on 4.2.2, once either are installed I can no longer
install through blueprint. It looks to be the result of the change for
"Set the secure processing feature on TransformerFactory instances" in
XmlUtils in commit de4c413925379913ffb3bf96ead7edc2dba98d4b. That
commit sets XMLConstants.ACCESS_EXTERNAL_DTD and neither Xalan nor
Saxon support that property. From what I've read searching for that
error I believe external DTD isn't in the purview of transformation
but in the document parser.

Note that it is after a restart of Karaf after installing Saxon that I
get the exception when trying to install another blueprint bundle. I
believe a transfomer is already created from the default
com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImp.

Has anyone else seen this?

Thanks.
-John


2018-12-31T16:17:31,853 | ERROR |
fileinstall-/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy |
BlueprintURLHandler              | 63 -
org.apache.karaf.deployer.blueprint - 4.2.2 | Error opening blueprint
xml url
java.lang.IllegalArgumentException: Unknown configuration property
http://javax.xml.XMLConstants/property/accessExternalDTD
        at net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:4644)
~[?:?]
        at net.sf.saxon.s9api.Processor.setConfigurationProperty(Processor.java:352)
~[?:?]
        at net.sf.saxon.jaxp.SaxonTransformerFactory.setAttribute(SaxonTransformerFactory.java:306)
~[?:?]
        at org.apache.karaf.util.XmlUtils.transformer(XmlUtils.java:154)
~[63:org.apache.karaf.deployer.blueprint:4.2.2]
        at org.apache.karaf.util.XmlUtils.transform(XmlUtils.java:96)
~[63:org.apache.karaf.deployer.blueprint:4.2.2]
        at org.apache.karaf.deployer.blueprint.BlueprintTransformer.analyze(BlueprintTransformer.java:129)
~[63:org.apache.karaf.deployer.blueprint:4.2.2]
        at org.apache.karaf.deployer.blueprint.BlueprintTransformer.transform(BlueprintTransformer.java:71)
~[63:org.apache.karaf.deployer.blueprint:4.2.2]
        at org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:73)
[63:org.apache.karaf.deployer.blueprint:4.2.2]
        at java.net.URL.openStream(URL.java:1045) [?:?]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:962)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:884)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:489)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:365)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:316)
[10:org.apache.felix.fileinstall:3.6.4]
2018-12-31T16:17:31,881 | ERROR |
fileinstall-/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy |
fileinstall                      | 10 - org.apache.felix.fileinstall -
3.6.4 | Failed to install artifact:
/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy/connectionfactory-amq1.xml
java.io.IOException: Error opening blueprint xml url
        at org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:78)
~[?:?]
        at java.net.URL.openStream(URL.java:1045) ~[?:?]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:962)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:884)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:489)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:365)
[10:org.apache.felix.fileinstall:3.6.4]
        at org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:316)
[10:org.apache.felix.fileinstall:3.6.4]
Caused by: java.lang.IllegalArgumentException: Unknown configuration
property http://javax.xml.XMLConstants/property/accessExternalDTD
        at net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:4644)
~[?:?]
        at net.sf.saxon.s9api.Processor.setConfigurationProperty(Processor.java:352)
~[?:?]
        at net.sf.saxon.jaxp.SaxonTransformerFactory.setAttribute(SaxonTransformerFactory.java:306)
~[?:?]
        at org.apache.karaf.util.XmlUtils.transformer(XmlUtils.java:154) ~[?:?]
        at org.apache.karaf.util.XmlUtils.transform(XmlUtils.java:96) ~[?:?]
        at org.apache.karaf.deployer.blueprint.BlueprintTransformer.analyze(BlueprintTransformer.java:129)
~[?:?]
        at org.apache.karaf.deployer.blueprint.BlueprintTransformer.transform(BlueprintTransformer.java:71)
~[?:?]
        at org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:73)
~[?:?]
        ... 6 more

Re: Karaf 4.2.2 blueprint install with Saxon bundle

Posted by Jean-Baptiste Onofré <jb...@nanthrax.net>.

Hi John,

I changed the TransformerFactory to prevent XXE by basically doing:

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

I did the same trick for transformer factory, validator, schema factory,
sax transformer factory.
For SAX XMLReader, I should go via feature.

Let me do a new pass on that.

Regards
JB


On 05/01/2019 00:44, John Taylor wrote:
> Hi All,
> 
> I use Karaf as a runtime to host my Apache Camel routes. They are
> mostly plain blueprint .xmls that are installed and deployed with the
> blueprint handler.  I make heavy use of xsl tranformations and have in
> the past used Xalan but am moving to Saxon for xslt/xpath 2.0.
> 
> On 4.2.1 I don't have any issues installing and using either Xalan or
> Saxon bundles, but on 4.2.2, once either are installed I can no longer
> install through blueprint. It looks to be the result of the change for
> "Set the secure processing feature on TransformerFactory instances" in
> XmlUtils in commit de4c413925379913ffb3bf96ead7edc2dba98d4b. That
> commit sets XMLConstants.ACCESS_EXTERNAL_DTD and neither Xalan nor
> Saxon support that property. From what I've read searching for that
> error I believe external DTD isn't in the purview of transformation
> but in the document parser.
> 
> Note that it is after a restart of Karaf after installing Saxon that I
> get the exception when trying to install another blueprint bundle. I
> believe a transfomer is already created from the default
> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImp.
> 
> Has anyone else seen this?
> 
> Thanks.
> -John
> 
> 
> 2018-12-31T16:17:31,853 | ERROR |
> fileinstall-/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy |
> BlueprintURLHandler              | 63 -
> org.apache.karaf.deployer.blueprint - 4.2.2 | Error opening blueprint
> xml url
> java.lang.IllegalArgumentException: Unknown configuration property
> http://javax.xml.XMLConstants/property/accessExternalDTD
>         at net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:4644)
> ~[?:?]
>         at net.sf.saxon.s9api.Processor.setConfigurationProperty(Processor.java:352)
> ~[?:?]
>         at net.sf.saxon.jaxp.SaxonTransformerFactory.setAttribute(SaxonTransformerFactory.java:306)
> ~[?:?]
>         at org.apache.karaf.util.XmlUtils.transformer(XmlUtils.java:154)
> ~[63:org.apache.karaf.deployer.blueprint:4.2.2]
>         at org.apache.karaf.util.XmlUtils.transform(XmlUtils.java:96)
> ~[63:org.apache.karaf.deployer.blueprint:4.2.2]
>         at org.apache.karaf.deployer.blueprint.BlueprintTransformer.analyze(BlueprintTransformer.java:129)
> ~[63:org.apache.karaf.deployer.blueprint:4.2.2]
>         at org.apache.karaf.deployer.blueprint.BlueprintTransformer.transform(BlueprintTransformer.java:71)
> ~[63:org.apache.karaf.deployer.blueprint:4.2.2]
>         at org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:73)
> [63:org.apache.karaf.deployer.blueprint:4.2.2]
>         at java.net.URL.openStream(URL.java:1045) [?:?]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:962)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:884)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:489)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:365)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:316)
> [10:org.apache.felix.fileinstall:3.6.4]
> 2018-12-31T16:17:31,881 | ERROR |
> fileinstall-/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy |
> fileinstall                      | 10 - org.apache.felix.fileinstall -
> 3.6.4 | Failed to install artifact:
> /opt/sgscamel/karaf/apache-karaf-4.2.2/deploy/connectionfactory-amq1.xml
> java.io.IOException: Error opening blueprint xml url
>         at org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:78)
> ~[?:?]
>         at java.net.URL.openStream(URL.java:1045) ~[?:?]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:962)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:884)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:489)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:365)
> [10:org.apache.felix.fileinstall:3.6.4]
>         at org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:316)
> [10:org.apache.felix.fileinstall:3.6.4]
> Caused by: java.lang.IllegalArgumentException: Unknown configuration
> property http://javax.xml.XMLConstants/property/accessExternalDTD
>         at net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:4644)
> ~[?:?]
>         at net.sf.saxon.s9api.Processor.setConfigurationProperty(Processor.java:352)
> ~[?:?]
>         at net.sf.saxon.jaxp.SaxonTransformerFactory.setAttribute(SaxonTransformerFactory.java:306)
> ~[?:?]
>         at org.apache.karaf.util.XmlUtils.transformer(XmlUtils.java:154) ~[?:?]
>         at org.apache.karaf.util.XmlUtils.transform(XmlUtils.java:96) ~[?:?]
>         at org.apache.karaf.deployer.blueprint.BlueprintTransformer.analyze(BlueprintTransformer.java:129)
> ~[?:?]
>         at org.apache.karaf.deployer.blueprint.BlueprintTransformer.transform(BlueprintTransformer.java:71)
> ~[?:?]
>         at org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:73)
> ~[?:?]
>         ... 6 more
> 

-- 
Jean-Baptiste Onofré
jbonofre@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com