Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Use OpenSAML ParserPool Defaults

Originally, Spring Security turned off various features
XML parsing feature for the underlying DocumentBuilderFactory
that OpenSAML uses.

Both OpenSAML 4 and 5 set these values by default, so we
can safely accept the defaults at this point.

Issue gh-11658
Josh Cummings 1 year ago
parent
bc8ba7f3b7
commit
ab842b74b9
1 changed files with 0 additions and 27 deletions
Split View Show Diff Stats
  1. 0 27
      saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java

+ 0 - 27
saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/core/OpenSamlInitializationService.java
View File 

@@ -16,20 +16,14 @@
 
 
 package org.springframework.security.saml2.core;
 
 
-import java.util.HashMap;
 
-import java.util.Map;
 
 import java.util.concurrent.atomic.AtomicBoolean;
 
 import java.util.function.Consumer;
 
 
-import javax.xml.XMLConstants;
 
-
 
-import net.shibboleth.utilities.java.support.xml.BasicParserPool;
 
 import org.apache.commons.logging.Log;
 
 import org.apache.commons.logging.LogFactory;
 
 import org.opensaml.core.config.ConfigurationService;
 
 import org.opensaml.core.config.InitializationService;
 
 import org.opensaml.core.xml.config.XMLObjectProviderRegistry;
 
-import org.opensaml.core.xml.config.XMLObjectProviderRegistrySupport;
 
 
 import org.springframework.security.saml2.Saml2Exception;
 
 
@@ -124,16 +118,6 @@ public final class OpenSamlInitializationService {
 
 			catch (Exception ex) {
 
 				throw new Saml2Exception(ex);
 
 			}
 
-			BasicParserPool parserPool = new BasicParserPool();
 
-			parserPool.setMaxPoolSize(50);
 
-			parserPool.setBuilderFeatures(getParserBuilderFeatures());
 
-			try {
 
-				parserPool.initialize();
 
-			}
 
-			catch (Exception ex) {
 
-				throw new Saml2Exception(ex);
 
-			}
 
-			XMLObjectProviderRegistrySupport.setParserPool(parserPool);
 
 			registryConsumer.accept(ConfigurationService.get(XMLObjectProviderRegistry.class));
 
 			log.debug("Initialized OpenSAML");
 
 			return true;
 
@@ -142,15 +126,4 @@ public final class OpenSamlInitializationService {
 
 		return false;
 
 	}
 
 
-	private static Map<String, Boolean> getParserBuilderFeatures() {
 
-		Map<String, Boolean> parserBuilderFeatures = new HashMap<>();
 
-		parserBuilderFeatures.put("http://apache.org/xml/features/disallow-doctype-decl", Boolean.TRUE);
 
-		parserBuilderFeatures.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 
-		parserBuilderFeatures.put("http://xml.org/sax/features/external-general-entities", Boolean.FALSE);
 
-		parserBuilderFeatures.put("http://apache.org/xml/features/validation/schema/normalized-value", Boolean.FALSE);
 
-		parserBuilderFeatures.put("http://xml.org/sax/features/external-parameter-entities", Boolean.FALSE);
 
-		parserBuilderFeatures.put("http://apache.org/xml/features/dom/defer-node-expansion", Boolean.FALSE);
 
-		return parserBuilderFeatures;
 
-	}
 
-
 
 }