我有以下代码:
final TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
第二行在现代JDK(我试过1.8)中使用默认的TransformerFactory工作正常.但是当我将xalan(版本2.7.2,最新的版本)添加到classpath时,我在第二行上得到以下内容:
Exception in thread "main" java.lang.IllegalArgumentException: Not supported: http://javax.xml.XMLConstants/property/accessExternalDTD
at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571)
at Main.main(Main.java:11)
我想这是因为xalan的TransformerFactory不支持这个属性. Xalan的实现通过ServiceLoader机制获取:它在xalan jar中的services / javax.xml.transform.TransfomerFactory中指定.
可以使用javax.xml.transform.TransformerFactory系统属性或$JRE / lib / jaxp.properties文件覆盖TransformerFactory实现,或直接在代码中传递类名.但要做到这一点,我必须提供一个具体的类名.现在,它是com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl,但在系统属性中对它进行硬编码有点可怕,因为在JDK升级时它们可以轻松更改类名,而我们只会得到运行时错误.
有没有办法指示TransformerFactory.newInstance()忽略xalan提供的实现?或者告诉它“只使用系统默认值”.
附:我不能只从类路径中删除xalan,因为我们使用的一堆其他库依赖于它.
最佳答案 我在这里唯一能做的就是硬编码JDK默认工厂并使用正常的发现过程作为后备:
TransformerFactory factory;
try {
factory = TransformerFactory.newInstance("com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl", SecureXmlFactories.class.getClassLoader());
} catch (Exception | TransformerFactoryConfigurationError e) {
LOGGER.error("Cannot load default TransformerFactory, let's try the usual way", e);
factory = TransformerFactory.newInstance();
}
然后在try / catch下配置它
// this works everywhere, but it does not disable accessing
// external DTDs... still enabling it just in case
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (TransformerConfigurationException e) {
LOGGER.error("Cannot enable secure processing", e);
}
// this does not work in Xalan 2.7.2
try {
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
} catch (Exception e) {
LOGGER.error("Cannot disable external DTD access", e);
}
// this does not work in Xalan 2.7.2
try {
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
} catch (Exception e) {
LOGGER.error("Cannot disable external stylesheet access", e);
}
并监视日志以查看默认JDK工厂类名称是否/何时更改.