SecurityManager


1   /*
2    * The Apache Software License, Version 1.1
3    *
4    *
5    * Copyright (c) 2003 The Apache Software Foundation.  
6    * All rights reserved.
7    *
8    * Redistribution and use in source and binary forms, with or without
9    * modification, are permitted provided that the following conditions
10   * are met:
11   *
12   * 1. Redistributions of source code must retain the above copyright
13   *    notice, this list of conditions and the following disclaimer. 
14   *
15   * 2. Redistributions in binary form must reproduce the above copyright
16   *    notice, this list of conditions and the following disclaimer in
17   *    the documentation and/or other materials provided with the
18   *    distribution.
19   *
20   * 3. The end-user documentation included with the redistribution,
21   *    if any, must include the following acknowledgment:  
22   *       "This product includes software developed by the
23   *        Apache Software Foundation (http://www.apache.org/)."
24   *    Alternately, this acknowledgment may appear in the software itself,
25   *    if and wherever such third-party acknowledgments normally appear.
26   *
27   * 4. The names "Xerces" and "Apache Software Foundation" must
28   *    not be used to endorse or promote products derived from this
29   *    software without prior written permission. For written 
30   *    permission, please contact apache@apache.org.
31   *
32   * 5. Products derived from this software may not be called "Apache",
33   *    nor may "Apache" appear in their name, without prior written
34   *    permission of the Apache Software Foundation.
35   *
36   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
37   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
38   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
39   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
40   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
42   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
43   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
44   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
45   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
46   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
47   * SUCH DAMAGE.
48   * ====================================================================
49   *
50   * This software consists of voluntary contributions made by many
51   * individuals on behalf of the Apache Software Foundation and was
52   * originally based on software copyright (c) 1999, International
53   * Business Machines, Inc., http://www.apache.org.  For more
54   * information on the Apache Software Foundation, please see
55   * <http://www.apache.org/>.
56   */
57  
58  package com.sun.org.apache.xerces.internal.util;
59  import com.sun.org.apache.xerces.internal.impl.Constants;
60  /**
61   * This class is a container for parser settings that relate to 
62   * security, or more specifically, it is intended to be used to prevent denial-of-service 
63   * attacks from being launched against a system running Xerces.  
64   * Any component that is aware of a denial-of-service attack that can arise
65   * from its processing of a certain kind of document may query its Component Manager
66   * for the property (http://apache.org/xml/properties/security-manager) 
67   * whose value will be an instance of this class.  
68   * If no value has been set for the property, the component should proceed in the "usual" (spec-compliant)
69   * manner.  If a value has been set, then it must be the case that the component in
70   * question needs to know what method of this class to query.  This class
71   * will provide defaults for all known security issues, but will also provide
72   * setters so that those values can be tailored by applications that care.
73   *
74   * @author  Neil Graham, IBM
75   *
76   * @version $Id: SecurityManager.java,v 1.5 2004/03/23 01:23:41 mrglavas Exp $
77   */
78  public final class SecurityManager {
79  
80      //
81      // Constants
82      //
83  
84      // default value for entity expansion limit
85      private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 64000;
86      
87      /** Default value of number of nodes created. **/
88      private final static int DEFAULT_MAX_OCCUR_NODE_LIMIT = 3000;
89  
90      //
91      // Data
92      //
93      
94      private final static int DEFAULT_ELEMENT_ATTRIBUTE_LIMIT = 10000;
95  
96      /** Entity expansion limit. **/
97      private int entityExpansionLimit;
98      
99      /** W3C XML Schema maxOccurs limit. **/
100     private int maxOccurLimit;
101 
102     private int fElementAttributeLimit;
103     // default constructor.  Establishes default values for
104     // all known security holes.  
105     /**
106      * Default constructor.  Establishes default values 
107      * for known security vulnerabilities.
108      */  
109     public SecurityManager() {
110         entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
111         maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT ;
112         fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
113         //We are reading system properties only once ,
114         //at the time of creation of this object ,
115         readSystemProperties();
116     }
117 
118     /**
119      * <p>Sets the number of entity expansions that the
120      * parser should permit in a document.</p>
121      *
122      * @param limit the number of entity expansions
123      * permitted in a document
124      */
125     public void setEntityExpansionLimit(int limit) {
126         entityExpansionLimit = limit;
127     }
128 
129     /**
130      * <p>Returns the number of entity expansions 
131      * that the parser permits in a document.</p>
132      *
133      * @return the number of entity expansions
134      * permitted in a document
135      */
136     public int getEntityExpansionLimit() {
137         return entityExpansionLimit;
138     }
139     
140     /**
141      * <p>Sets the limit of the number of content model nodes 
142      * that may be created when building a grammar for a W3C 
143      * XML Schema that contains maxOccurs attributes with values
144      * other than "unbounded".</p>
145      *
146      * @param limit the maximum value for maxOccurs other
147      * than "unbounded"
148      */
149     public void setMaxOccurNodeLimit(int limit){
150         maxOccurLimit = limit;
151     }
152     
153     /**
154      * <p>Returns the limit of the number of content model nodes 
155      * that may be created when building a grammar for a W3C 
156      * XML Schema that contains maxOccurs attributes with values
157      * other than "unbounded".</p>
158      *
159      * @return the maximum value for maxOccurs other
160      * than "unbounded"
161      */ 
162     public int getMaxOccurNodeLimit(){
163         return maxOccurLimit;    
164     }
165 
166     public int getElementAttrLimit(){
167         return fElementAttributeLimit;
168     }
169     
170     public void setElementAttrLimit(int limit){ 
171         fElementAttributeLimit = limit;
172     }
173 
174     private void readSystemProperties(){
175 
176         //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
177         try {
178             String   value = System.getProperty(Constants.ENTITY_EXPANSION_LIMIT);
179             if(value != null && !value.equals("")){
180                 entityExpansionLimit = Integer.parseInt(value);
181                 if (entityExpansionLimit < 0)
182                     entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
183             }
184             else
185                 entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
186         }catch(Exception   ex){}
187 
188         try {
189             String   value = System.getProperty(Constants.MAX_OCCUR_LIMIT);
190             if(value != null && !value.equals("")){
191                 maxOccurLimit = Integer.parseInt(value);
192                 if (maxOccurLimit < 0)
193                     maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
194             }
195             else
196                 maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
197         }catch(Exception   ex){}
198 
199         try {
200             String   value = System.getProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
201             if(value != null && !value.equals("")){
202                 fElementAttributeLimit = Integer.parseInt(value);
203                 if ( fElementAttributeLimit < 0)
204                     fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
205             }
206             else
207                 fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
208 
209         }catch(Exception   ex){}
210 
211     }
212     
213 } // class SecurityManager
214 
215
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags