From ab842b74b949b6fbeea8a67ee6b044884d3cca2b Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 2 Aug 2024 12:53:52 -0600 Subject: [PATCH] Use OpenSAML ParserPool Defaults Originally, Spring Security turned off various features XML parsing feature for the underlying DocumentBuilderFactory that OpenSAML uses. Both OpenSAML 4 and 5 set these values by default, so we can safely accept the defaults at this point. Issue gh-11658 --- .../core/OpenSamlInitializationService.java | 27 ------------------- 1 file changed, 27 deletions(-) diff --git a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java index 0b2645fe98..8e63df8e40 100644 --- a/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java +++ b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java @@ -16,20 +16,14 @@ package org.springframework.security.saml2.core; -import java.util.HashMap; -import java.util.Map; import java.util.concurrent.atomic.AtomicBoolean; import java.util.function.Consumer; -import javax.xml.XMLConstants; - -import net.shibboleth.utilities.java.support.xml.BasicParserPool; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.opensaml.core.config.ConfigurationService; import org.opensaml.core.config.InitializationService; import org.opensaml.core.xml.config.XMLObjectProviderRegistry; -import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport; import org.springframework.security.saml2.Saml2Exception; @@ -124,16 +118,6 @@ public final class OpenSamlInitializationService { catch (Exception ex) { throw new Saml2Exception(ex); } - BasicParserPool parserPool = new BasicParserPool(); - parserPool.setMaxPoolSize(50); - parserPool.setBuilderFeatures(getParserBuilderFeatures()); - try { - parserPool.initialize(); - } - catch (Exception ex) { - throw new Saml2Exception(ex); - } - XMLObjectProviderRegistrySupport.setParserPool(parserPool); registryConsumer.accept(ConfigurationService.get(XMLObjectProviderRegistry.class)); log.debug("Initialized OpenSAML"); return true; @@ -142,15 +126,4 @@ public final class OpenSamlInitializationService { return false; } - private static Map getParserBuilderFeatures() { - Map parserBuilderFeatures = new HashMap<>(); - parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE); - parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); - parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE); - parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE); - parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE); - parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE); - return parserBuilderFeatures; - } - }