13

I have the following code:

javax.xml.transform.TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
javax.xml.transform.Transformer transformer = factory.newTransformer();

This works fine normally. However, I also need to add Xalan as a dependency in my pom.xml, and when I do, the above code now throws an error:

java.lang.IllegalArgumentException: Not supported: http://javax.xml.XMLConstants/property/accessExternalDTD

I think it has something to do with the fact that Xalan's jar has a different implementation of Transformer in it. How can I resolve this conflict without changing the above code and keeping Xalan as a dependency?

Velvet Carrot
  • 281
  • 1
  • 3
  • 7

7 Answers7

14

Need to set the system-level property as below

System.setProperty("javax.xml.transform.TransformerFactory","com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl");
Prathamesh More
  • 1,470
  • 2
  • 18
  • 32
user2646103
  • 141
  • 1
  • 3
  • 1
    this solution was the only one that helped me in the end, thanks! – Gregor Feb 08 '21 at 13:21
  • This solution works, could someone explain why?? – Rahul Apr 30 '21 at 12:50
  • 1
    @rahul This works because since whatever version of JDK it started supporting JAXP 1.5. Xerces only supports 1.4. By setting this property you specify that the implementation class should actually be the one from the JDK. This is fine as long as you do not use a different JDK that does not provide this class, like IBM JDK. – JSamir Nov 09 '21 at 12:26
  • I added this line of code in a static code block of the same class using the `TransformerFactory` but now I get this error in JUnit test cases `javax.xml.transform.TransformerFactoryConfigurationError: Provider org.apache.xalan.processor.TransformerFactoryImpl not found`. Please help to resolve. – tarekahf Mar 23 '23 at 00:26
5

Excluding Xerces from Xalan fixes this issue:

<dependency>
    <groupId>xalan</groupId>
    <artifactId>xalan</artifactId>
    <version>2.7.2</version>
    <exclusions>
        <exclusion>
            <groupId>xerces</groupId>
            <artifactId>xercesImpl</artifactId>
        </exclusion>
    </exclusions>
</dependency>
Velvet Carrot
  • 281
  • 1
  • 3
  • 7
3

This happens to my code because I am using xalan's transformer factory from external dependency.

TransformerFactory factory = TransformerFactory.newInstance();

I just specified that I will use the internal jars provided by AdoptOpenJdk

TransformerFactory factory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", null);
Leroy
  • 352
  • 2
  • 11
  • It worked for me, I preferred this solution over the one with more preferences https://stackoverflow.com/a/64364531/2186777, less impact. Thank you. – fl4l Dec 07 '22 at 11:36
2

If you are multiple XSL processors and or different versions, you have to handle the case that not every implementation will be able to handle every attribute. The only way to do so is to catch the IllegalArgumentException that is thrown if the attribute is not supported. Take a look at this modified example from the JAXP documentation:

javax.xml.transform.TransformerFactory factory = TransformerFactory.newInstance();

try {
    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
} catch (IllegalArgumentException e) {
    //jaxp 1.5 feature not supported
}

The documentation says:

When code change is possible, and for new development, it is recommended that the new properties be set as demonstrated above. By setting the properties this way, applications can be sure to maintain the desired behavior whether they are deployed to older or newer version of the JDK, or whether the properties are set through System Properties or jaxp.properties.

fhossfel
  • 2,041
  • 16
  • 24
  • 1
    By using this solution, Sonar still not satisfied and highlight it as Blocker saying 'xml parsers should not be vulnerable to xxe attacks ' – Sumit Rane May 12 '21 at 04:57
1

I was facing a similar issue where an implementation from SaxonJ was being created in TransformerFactory::newInstance, giving me errors when trying to set attributes not supported by it.

Taking a look at the method documentation, I found out that TransformerFactory has a priority list where it tries to find an implementation to return.

The first place it looks for is in the system properties, so in my Ant file, inside my run target, I added the following(other libraries will have the same):

<jvmarg value="-Djavax.xml.transform.TransformerFactory=com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl"/>

This will make TransformerFactory::newInstance load the correct factory implementation.

Keep in mind that I was using OpenJDK8, you will have to find the correct package for other versions.

Gabriel Sezefredo
  • 129
  • 4
0

The solution that worked for me was by doing this: 

compile('org.opensaml:opensaml:2.6.1') {
    exclude group: 'xerces', module: 'xercesImpl'
    exclude module: 'xalan'
}
double-beep
  • 5,031
  • 17
  • 33
  • 41
Marcos Diaz Puerta
  • 1
0

It might be coming from other xalan version of your project.

Check Dependent Hierarchy in your POM for the xalan and exclude the xercesImpl in all the version of xalan.

RameshMurugan
  • 11
  • 1
  • 1
    please, try limiting possibility in the comment section. We need to verify it. So it should be on the comment section. Thank you – parlad May 30 '19 at 12:49