KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > com > sun > org > apache > xerces > internal > util > SecurityManager


1 /*
2  * The Apache Software License, Version 1.1
3  *
4  *
5  * Copyright (c) 2003 The Apache Software Foundation.
6  * All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  * notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  * notice, this list of conditions and the following disclaimer in
17  * the documentation and/or other materials provided with the
18  * distribution.
19  *
20  * 3. The end-user documentation included with the redistribution,
21  * if any, must include the following acknowledgment:
22  * "This product includes software developed by the
23  * Apache Software Foundation (http://www.apache.org/)."
24  * Alternately, this acknowledgment may appear in the software itself,
25  * if and wherever such third-party acknowledgments normally appear.
26  *
27  * 4. The names "Xerces" and "Apache Software Foundation" must
28  * not be used to endorse or promote products derived from this
29  * software without prior written permission. For written
30  * permission, please contact apache@apache.org.
31  *
32  * 5. Products derived from this software may not be called "Apache",
33  * nor may "Apache" appear in their name, without prior written
34  * permission of the Apache Software Foundation.
35  *
36  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
37  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
38  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
39  * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
40  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
42  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
43  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
44  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
45  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
46  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47  * SUCH DAMAGE.
48  * ====================================================================
49  *
50  * This software consists of voluntary contributions made by many
51  * individuals on behalf of the Apache Software Foundation and was
52  * originally based on software copyright (c) 1999, International
53  * Business Machines, Inc., http://www.apache.org. For more
54  * information on the Apache Software Foundation, please see
55  * <http://www.apache.org/>.
56  */

57
58 package com.sun.org.apache.xerces.internal.util;
59 import com.sun.org.apache.xerces.internal.impl.Constants;
60 /**
61  * This class is a container for parser settings that relate to
62  * security, or more specifically, it is intended to be used to prevent denial-of-service
63  * attacks from being launched against a system running Xerces.
64  * Any component that is aware of a denial-of-service attack that can arise
65  * from its processing of a certain kind of document may query its Component Manager
66  * for the property (http://apache.org/xml/properties/security-manager)
67  * whose value will be an instance of this class.
68  * If no value has been set for the property, the component should proceed in the "usual" (spec-compliant)
69  * manner. If a value has been set, then it must be the case that the component in
70  * question needs to know what method of this class to query. This class
71  * will provide defaults for all known security issues, but will also provide
72  * setters so that those values can be tailored by applications that care.
73  *
74  * @author Neil Graham, IBM
75  *
76  * @version $Id: SecurityManager.java,v 1.5 2004/03/23 01:23:41 mrglavas Exp $
77  */

78 public final class SecurityManager {
79
80     //
81
// Constants
82
//
83

84     // default value for entity expansion limit
85
private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 64000;
86     
87     /** Default value of number of nodes created. **/
88     private final static int DEFAULT_MAX_OCCUR_NODE_LIMIT = 3000;
89
90     //
91
// Data
92
//
93

94     private final static int DEFAULT_ELEMENT_ATTRIBUTE_LIMIT = 10000;
95
96     /** Entity expansion limit. **/
97     private int entityExpansionLimit;
98     
99     /** W3C XML Schema maxOccurs limit. **/
100     private int maxOccurLimit;
101
102     private int fElementAttributeLimit;
103     // default constructor. Establishes default values for
104
// all known security holes.
105
/**
106      * Default constructor. Establishes default values
107      * for known security vulnerabilities.
108      */

109     public SecurityManager() {
110         entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
111         maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT ;
112         fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
113         //We are reading system properties only once ,
114
//at the time of creation of this object ,
115
readSystemProperties();
116     }
117
118     /**
119      * <p>Sets the number of entity expansions that the
120      * parser should permit in a document.</p>
121      *
122      * @param limit the number of entity expansions
123      * permitted in a document
124      */

125     public void setEntityExpansionLimit(int limit) {
126         entityExpansionLimit = limit;
127     }
128
129     /**
130      * <p>Returns the number of entity expansions
131      * that the parser permits in a document.</p>
132      *
133      * @return the number of entity expansions
134      * permitted in a document
135      */

136     public int getEntityExpansionLimit() {
137         return entityExpansionLimit;
138     }
139     
140     /**
141      * <p>Sets the limit of the number of content model nodes
142      * that may be created when building a grammar for a W3C
143      * XML Schema that contains maxOccurs attributes with values
144      * other than "unbounded".</p>
145      *
146      * @param limit the maximum value for maxOccurs other
147      * than "unbounded"
148      */

149     public void setMaxOccurNodeLimit(int limit){
150         maxOccurLimit = limit;
151     }
152     
153     /**
154      * <p>Returns the limit of the number of content model nodes
155      * that may be created when building a grammar for a W3C
156      * XML Schema that contains maxOccurs attributes with values
157      * other than "unbounded".</p>
158      *
159      * @return the maximum value for maxOccurs other
160      * than "unbounded"
161      */

162     public int getMaxOccurNodeLimit(){
163         return maxOccurLimit;
164     }
165
166     public int getElementAttrLimit(){
167         return fElementAttributeLimit;
168     }
169     
170     public void setElementAttrLimit(int limit){
171         fElementAttributeLimit = limit;
172     }
173
174     private void readSystemProperties(){
175
176         //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
177
try {
178             String JavaDoc value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT);
179             if(value != null && !value.equals("")){
180                 entityExpansionLimit = Integer.parseInt(value);
181                 if (entityExpansionLimit < 0)
182                     entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
183             }
184             else
185                 entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
186         }catch(Exception JavaDoc ex){}
187
188         try {
189             String JavaDoc value = System.getProperty(Constants.MAX_OCCUR_LIMIT);
190             if(value != null && !value.equals("")){
191                 maxOccurLimit = Integer.parseInt(value);
192                 if (maxOccurLimit < 0)
193                     maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
194             }
195             else
196                 maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
197         }catch(Exception JavaDoc ex){}
198
199         try {
200             String JavaDoc value = System.getProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
201             if(value != null && !value.equals("")){
202                 fElementAttributeLimit = Integer.parseInt(value);
203                 if ( fElementAttributeLimit < 0)
204                     fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
205             }
206             else
207                 fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
208
209         }catch(Exception JavaDoc ex){}
210
211     }
212     
213 } // class SecurityManager
214

215
Popular Tags