Merge

jaxp/src/com/sun/org/apache/xalan/internal/XalanConstants.java

@@ -73,13 +73,39 @@ public final class XalanConstants {
      * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
      */
     public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
-    /**
+
-     * JDK version by which the default is to restrict external connection
-     */
-    public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
     /**
      * FEATURE_SECURE_PROCESSING (FSP) is false by default
      */
     public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
 
+    public static final String XML_SECURITY_PROPERTY_MANAGER =
+            ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager";
+
+    /**
+     * Check if we're in jdk8 or above
+     */
+    public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
+
+    /*
+     * Check the version of the current JDK against that specified in the
+     * parameter
+     *
+     * There is a proposal to change the java version string to:
+     * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
+     * This method would work with both the current format and that proposed
+     *
+     * @param compareTo a JDK version to be compared to
+     * @return true if the current version is the same or above that represented
+     * by the parameter
+     */
+    public static boolean isJavaVersionAtLeast(int compareTo) {
+        String javaVersion = SecuritySupport.getSystemProperty("java.version");
+        String versions[] = javaVersion.split("\\.", 3);
+        if (Integer.parseInt(versions[0]) >= compareTo ||
+            Integer.parseInt(versions[1]) >= compareTo) {
+            return true;
+        }
+        return false;
+    }
 } // class Constants

jaxp/src/com/sun/org/apache/xalan/internal/utils/SecuritySupport.java

@@ -229,7 +229,8 @@ public final class SecuritySupport {
      * @return the name of the protocol if rejected, null otherwise
      */
     public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException {
-        if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) {
+        if (systemId == null || (allowedProtocols != null &&
+                allowedProtocols.equalsIgnoreCase(accessAny))) {
             return null;
         }
 
@@ -262,6 +263,9 @@ public final class SecuritySupport {
      * @return true if the protocol is in the list
      */
     private static boolean isProtocolAllowed(String protocol, String allowedProtocols) {
+         if (allowedProtocols == null) {
+             return false;
+         }
          String temp[] = allowedProtocols.split(",");
          for (String t : temp) {
              t = t.trim();
@@ -273,18 +277,16 @@ public final class SecuritySupport {
      }
 
     /**
-     * Read from $java.home/lib/jaxp.properties for the specified property
+     * Read JAXP system property in this order: system property,
+     * $java.home/lib/jaxp.properties if the system property is not specified
      *
      * @param propertyId the Id of the property
      * @return the value of the property
      */
-    public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) {
+    public static String getJAXPSystemProperty(String sysPropertyId) {
-        String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId);
+        String accessExternal = getSystemProperty(sysPropertyId);
         if (accessExternal == null) {
             accessExternal = readJAXPProperty(sysPropertyId);
-            if (accessExternal == null) {
-                accessExternal = defaultVal;
-            }
         }
         return accessExternal;
     }

jaxp/src/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java

@@ -0,0 +1,192 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xalan.internal.utils;
+
+
+import com.sun.org.apache.xalan.internal.XalanConstants;
+import javax.xml.XMLConstants;
+
+/**
+ * This class manages security related properties
+ *
+ */
+public final class XMLSecurityPropertyManager {
+
+    /**
+     * States of the settings of a property, in the order: default value, value
+     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+     * properties, and jaxp api properties
+     */
+    public static enum State {
+        //this order reflects the overriding order
+        DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+    }
+
+    /**
+     * Limits managed by the security manager
+     */
+    public static enum Property {
+        ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD,
+                XalanConstants.EXTERNAL_ACCESS_DEFAULT),
+        ACCESS_EXTERNAL_STYLESHEET(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,
+                XalanConstants.EXTERNAL_ACCESS_DEFAULT);
+
+        final String name;
+        final String defaultValue;
+
+        Property(String name, String value) {
+            this.name = name;
+            this.defaultValue = value;
+        }
+
+        public boolean equalsName(String propertyName) {
+            return (propertyName == null) ? false : name.equals(propertyName);
+        }
+
+        String defaultValue() {
+            return defaultValue;
+        }
+    }
+
+
+    /**
+     * Values of the properties as defined in enum Properties
+     */
+    private final String[] values;
+    /**
+     * States of the settings for each property in Properties above
+     */
+    private State[] states = {State.DEFAULT, State.DEFAULT};
+
+    /**
+     * Default constructor. Establishes default values
+     */
+    public XMLSecurityPropertyManager() {
+        values = new String[Property.values().length];
+        for (Property property : Property.values()) {
+            values[property.ordinal()] = property.defaultValue();
+        }
+        //read system properties or jaxp.properties
+        readSystemProperties();
+    }
+
+    /**
+     * Set the value for a specific property.
+     *
+     * @param property the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setValue(Property property, State state, String value) {
+        //only update if it shall override
+        if (state.compareTo(states[property.ordinal()]) >= 0) {
+            values[property.ordinal()] = value;
+            states[property.ordinal()] = state;
+        }
+    }
+
+    /**
+     * Set the value of a property by its index
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setValue(int index, State state, String value) {
+        //only update if it shall override
+        if (state.compareTo(states[index]) >= 0) {
+            values[index] = value;
+            states[index] = state;
+        }
+    }
+    /**
+     * Return the value of the specified property
+     *
+     * @param property the property
+     * @return the value of the property
+     */
+    public String getValue(Property property) {
+        return values[property.ordinal()];
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     * @param index the index of a property
+     * @return value of a property
+     */
+    public String getValueByIndex(int index) {
+        return values[index];
+    }
+
+    /**
+     * Get the index by property name
+     * @param propertyName property name
+     * @return the index of the property if found; return -1 if not
+     */
+    public int getIndex(String propertyName){
+        for (Property property : Property.values()) {
+            if (property.equalsName(propertyName)) {
+                //internally, ordinal is used as index
+                return property.ordinal();
+            }
+        }
+        return -1;
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     */
+    private void readSystemProperties() {
+        getSystemProperty(Property.ACCESS_EXTERNAL_DTD,
+                XalanConstants.SP_ACCESS_EXTERNAL_DTD);
+        getSystemProperty(Property.ACCESS_EXTERNAL_STYLESHEET,
+                XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET);
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     *
+     * @param property the property
+     * @param systemProperty the name of the system property
+     */
+    private void getSystemProperty(Property property, String systemProperty) {
+        try {
+            String value = SecuritySupport.getSystemProperty(systemProperty);
+            if (value != null) {
+                values[property.ordinal()] = value;
+                states[property.ordinal()] = State.SYSTEMPROPERTY;
+                return;
+            }
+
+            value = SecuritySupport.readJAXPProperty(systemProperty);
+            if (value != null) {
+                values[property.ordinal()] = value;
+                states[property.ordinal()] = State.JAXPDOTPROPERTIES;
+            }
+        } catch (NumberFormatException e) {
+            //invalid setting ignored
+        }
+    }
+}

jaxp/src/com/sun/org/apache/xalan/internal/xsltc/trax/TransformerFactoryImpl.java

@@ -27,6 +27,9 @@ import com.sun.org.apache.xalan.internal.XalanConstants;
 import com.sun.org.apache.xalan.internal.utils.FactoryImpl;
 import com.sun.org.apache.xalan.internal.utils.ObjectFactory;
 import com.sun.org.apache.xalan.internal.utils.SecuritySupport;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.Property;
+import com.sun.org.apache.xalan.internal.utils.XMLSecurityPropertyManager.State;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.Constants;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.SourceLoader;
 import com.sun.org.apache.xalan.internal.xsltc.compiler.XSLTC;
@@ -215,11 +218,13 @@ public class TransformerFactoryImpl
      * protocols allowed for external references set by the stylesheet processing instruction, Import and Include element.
      */
     private String _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
+
      /**
      * protocols allowed for external DTD references in source file and/or stylesheet.
      */
     private String _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
 
+    private XMLSecurityPropertyManager _xmlSecurityPropertyMgr;
 
     /**
      * javax.xml.transform.sax.TransformerFactory implementation.
@@ -235,15 +240,16 @@ public class TransformerFactoryImpl
     private TransformerFactoryImpl(boolean useServicesMechanism) {
         this._useServicesMechanism = useServicesMechanism;
 
-        String defaultAccess = XalanConstants.EXTERNAL_ACCESS_DEFAULT;
         if (System.getSecurityManager() != null) {
             _isSecureMode = true;
             _isNotSecureProcessing = false;
         }
-        _accessExternalStylesheet =  SecuritySupport.getDefaultAccessProperty(
+
-                XalanConstants.SP_ACCESS_EXTERNAL_STYLESHEET, defaultAccess);
+        _xmlSecurityPropertyMgr = new XMLSecurityPropertyManager();
-        _accessExternalDTD =  SecuritySupport.getDefaultAccessProperty(
+        _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
-                XalanConstants.SP_ACCESS_EXTERNAL_DTD, defaultAccess);
+                Property.ACCESS_EXTERNAL_DTD);
+        _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
+                Property.ACCESS_EXTERNAL_STYLESHEET);
     }
 
     /**
@@ -306,11 +312,10 @@ public class TransformerFactoryImpl
             else
               return Boolean.FALSE;
         }
-        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
+
-            return _accessExternalStylesheet;
+        int index = _xmlSecurityPropertyMgr.getIndex(name);
-        }
+        if (index > -1) {
-        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
+            return _xmlSecurityPropertyMgr.getValueByIndex(index);
-            return _accessExternalDTD;
         }
 
         // Throw an exception for all other attributes
@@ -413,12 +418,15 @@ public class TransformerFactoryImpl
                 return;
             }
         }
-        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_STYLESHEET)) {
+
-            _accessExternalStylesheet = (String)value;
+        int index = _xmlSecurityPropertyMgr.getIndex(name);
-            return;
+        if (index > -1) {
-        }
+            _xmlSecurityPropertyMgr.setValue(index,
-        else if (name.equals(XMLConstants.ACCESS_EXTERNAL_DTD)) {
+                    State.APIPROPERTY, (String)value);
-            _accessExternalDTD = (String)value;
+            _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
+                    Property.ACCESS_EXTERNAL_DTD);
+            _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
+                    Property.ACCESS_EXTERNAL_STYLESHEET);
             return;
         }
 
@@ -466,11 +474,18 @@ public class TransformerFactoryImpl
             }
             _isNotSecureProcessing = !value;
 
-            // set restriction, allowing no access to external stylesheet
+            // set external access restriction when FSP is explicitly set
-            if (value) {
+            if (value && XalanConstants.IS_JDK8_OR_ABOVE) {
-                _accessExternalStylesheet = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+                _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
-                _accessExternalDTD = XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP;
+                        State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                _xmlSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_STYLESHEET,
+                        State.FSP, XalanConstants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                _accessExternalDTD = _xmlSecurityPropertyMgr.getValue(
+                        Property.ACCESS_EXTERNAL_DTD);
+                _accessExternalStylesheet = _xmlSecurityPropertyMgr.getValue(
+                        Property.ACCESS_EXTERNAL_STYLESHEET);
             }
+
             return;
         }
         else if (name.equals(XalanConstants.ORACLE_FEATURE_SERVICE_MECHANISM)) {

jaxp/src/com/sun/org/apache/xerces/internal/dom/DOMConfigurationImpl.java

@@ -33,7 +33,7 @@ import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@@ -156,13 +156,9 @@ public class DOMConfigurationImpl extends ParserConfigurationSettings
     protected static final String SCHEMA_DV_FACTORY =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
 
-    /** Property identifier: access to external dtd */
+    /** Property identifier: Security property manager. */
-    protected static final String ACCESS_EXTERNAL_DTD =
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
-        XMLConstants.ACCESS_EXTERNAL_DTD;
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
-
-    /** Property identifier: access to external schema  */
-    protected static final String ACCESS_EXTERNAL_SCHEMA =
-        XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     //
     // Data
@@ -283,8 +279,7 @@ public class DOMConfigurationImpl extends ParserConfigurationSettings
             JAXP_SCHEMA_LANGUAGE,
             DTD_VALIDATOR_FACTORY_PROPERTY,
             SCHEMA_DV_FACTORY,
-            ACCESS_EXTERNAL_DTD,
+            XML_SECURITY_PROPERTY_MANAGER
-            ACCESS_EXTERNAL_SCHEMA
         };
         addRecognizedProperties(recognizedProperties);
 
@@ -318,14 +313,8 @@ public class DOMConfigurationImpl extends ParserConfigurationSettings
         fValidationManager = createValidationManager();
         setProperty(VALIDATION_MANAGER, fValidationManager);
 
-        //For DOM, the secure feature is set to true by default
+        setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
-        String accessExternal =  SecuritySupport.getDefaultAccessProperty(
+                new XMLSecurityPropertyManager());
-                Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
-        setProperty(ACCESS_EXTERNAL_DTD, accessExternal);
-
-        accessExternal =  SecuritySupport.getDefaultAccessProperty(
-                Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
-        setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal);
 
         // add message formatters
         if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {

jaxp/src/com/sun/org/apache/xerces/internal/impl/Constants.java

@@ -184,6 +184,9 @@ public final class Constants {
     public static final String ORACLE_JAXP_PROPERTY_PREFIX =
         "http://www.oracle.com/xml/jaxp/properties/";
 
+    public static final String XML_SECURITY_PROPERTY_MANAGER =
+            ORACLE_JAXP_PROPERTY_PREFIX + "xmlSecurityPropertyManager";
+
     //System Properties corresponding to ACCESS_EXTERNAL_* properties
     public static final String SP_ACCESS_EXTERNAL_DTD = "javax.xml.accessExternalDTD";
     public static final String SP_ACCESS_EXTERNAL_SCHEMA = "javax.xml.accessExternalSchema";
@@ -194,16 +197,17 @@ public final class Constants {
      * Default value when FEATURE_SECURE_PROCESSING (FSP) is set to true
      */
     public static final String EXTERNAL_ACCESS_DEFAULT_FSP = "";
-    /**
-     * JDK version by which the default is to restrict external connection
-     */
-    public static final int RESTRICT_BY_DEFAULT_JDK_VERSION = 8;
 
     /**
      * FEATURE_SECURE_PROCESSING (FSP) is true by default
      */
     public static final String EXTERNAL_ACCESS_DEFAULT = ACCESS_EXTERNAL_ALL;
 
+    /**
+     * Check if we're in jdk8 or above
+     */
+    public static final boolean IS_JDK8_OR_ABOVE = isJavaVersionAtLeast(8);
+
     //
     // DOM features
     //
@@ -697,6 +701,27 @@ public final class Constants {
         ? new ArrayEnumeration(fgXercesProperties) : fgEmptyEnumeration;
     } // getXercesProperties():Enumeration
 
+    /*
+     * Check the version of the current JDK against that specified in the
+     * parameter
+     *
+     * There is a proposal to change the java version string to:
+     * MAJOR.MINOR.FU.CPU.PSU-BUILDNUMBER_BUGIDNUMBER_OPTIONAL
+     * This method would work with both the current format and that proposed
+     *
+     * @param compareTo a JDK version to be compared to
+     * @return true if the current version is the same or above that represented
+     * by the parameter
+     */
+    public static boolean isJavaVersionAtLeast(int compareTo) {
+        String javaVersion = SecuritySupport.getSystemProperty("java.version");
+        String versions[] = javaVersion.split("\\.", 3);
+        if (Integer.parseInt(versions[0]) >= compareTo ||
+            Integer.parseInt(versions[1]) >= compareTo) {
+            return true;
+        }
+        return false;
+    }
 
     //
     // Classes

jaxp/src/com/sun/org/apache/xerces/internal/impl/PropertyManager.java

@@ -25,10 +25,9 @@
 
 package com.sun.org.apache.xerces.internal.impl;
 
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.xml.internal.stream.StaxEntityResolverWrapper;
 import java.util.HashMap;
-import javax.xml.XMLConstants;
 import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLOutputFactory;
 import javax.xml.stream.XMLResolver;
@@ -51,15 +50,14 @@ public class PropertyManager {
 
     private static final String STRING_INTERNING = "http://xml.org/sax/features/string-interning";
 
-
+    /** Property identifier: Security property manager. */
-    /** Property identifier: access to external dtd */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
-    protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
-
-    /** Property identifier: access to external schema  */
-    protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     HashMap supportedProps = new HashMap();
 
+    private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
     public static final int CONTEXT_READER = 1;
     public static final int CONTEXT_WRITER = 2;
 
@@ -84,6 +82,7 @@ public class PropertyManager {
 
         HashMap properties = propertyManager.getProperties();
         supportedProps.putAll(properties);
+        fSecurityPropertyMgr = (XMLSecurityPropertyManager)getProperty(XML_SECURITY_PROPERTY_MANAGER);
     }
 
     private HashMap getProperties(){
@@ -125,14 +124,8 @@ public class PropertyManager {
         supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_DUPLICATE_ENTITYDEF_FEATURE, new Boolean(false));
         supportedProps.put(Constants.XERCES_FEATURE_PREFIX + Constants.WARN_ON_UNDECLARED_ELEMDEF_FEATURE, new Boolean(false));
 
-        //For DOM/SAX, the secure feature is set to true by default
+        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
-        String accessExternal =  SecuritySupport.getDefaultAccessProperty(
+        supportedProps.put(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
-                Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
-        supportedProps.put(ACCESS_EXTERNAL_DTD, accessExternal);
-
-        accessExternal =  SecuritySupport.getDefaultAccessProperty(
-                Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
-        supportedProps.put(ACCESS_EXTERNAL_SCHEMA, accessExternal);
     }
 
     private void initWriterProps(){
@@ -148,7 +141,8 @@ public class PropertyManager {
      * }
      */
     public boolean containsProperty(String property){
-        return supportedProps.containsKey(property) ;
+        return supportedProps.containsKey(property) ||
+                (fSecurityPropertyMgr!=null && fSecurityPropertyMgr.getIndex(property) > -1) ;
     }
 
     public Object getProperty(String property){
@@ -174,7 +168,15 @@ public class PropertyManager {
             //add internal stax property
             supportedProps.put( Constants.XERCES_PROPERTY_PREFIX + Constants.STAX_ENTITY_RESOLVER_PROPERTY , new StaxEntityResolverWrapper((XMLResolver)value)) ;
         }
-        supportedProps.put(property, value ) ;
+
+        int index = (fSecurityPropertyMgr != null) ? fSecurityPropertyMgr.getIndex(property) : -1;
+        if (index > -1) {
+            fSecurityPropertyMgr.setValue(index,
+                    XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+        } else {
+            supportedProps.put(property, value);
+        }
+
         if(equivalentProperty != null){
             supportedProps.put(equivalentProperty, value ) ;
         }

jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java

@@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
 import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.xml.internal.stream.Entity;
 import javax.xml.XMLConstants;
@@ -166,8 +167,9 @@ public class XMLDocumentFragmentScannerImpl
     protected static final String STANDARD_URI_CONFORMANT =
             Constants.XERCES_FEATURE_PREFIX +Constants.STANDARD_URI_CONFORMANT_FEATURE;
 
-    /** property identifier: access external dtd. */
+    /** Property identifier: Security property manager. */
-    protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
 
     /** access external dtd: file protocol
      *  For DOM/SAX, the secure feature is set to true by default
@@ -199,7 +201,7 @@ public class XMLDocumentFragmentScannerImpl
         SYMBOL_TABLE,
                 ERROR_REPORTER,
                 ENTITY_MANAGER,
-                ACCESS_EXTERNAL_DTD
+                XML_SECURITY_PROPERTY_MANAGER
     };
 
     /** Property defaults. */
@@ -610,7 +612,10 @@ public class XMLDocumentFragmentScannerImpl
         dtdGrammarUtil = null;
 
         // JAXP 1.5 features and properties
-        fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
+        XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+                componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
+        fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+
         fStrictURI = componentManager.getFeature(STANDARD_URI_CONFORMANT, false);
 
         //fEntityManager.test();
@@ -662,9 +667,10 @@ public class XMLDocumentFragmentScannerImpl
 
         dtdGrammarUtil = null;
 
-        // Oracle jdk feature
+         // JAXP 1.5 features and properties
-        fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
+        XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
-
+                propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+        fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
     } // reset(XMLComponentManager)
 
     /**
@@ -762,11 +768,10 @@ public class XMLDocumentFragmentScannerImpl
         }
 
         //JAXP 1.5 properties
-        if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
+        if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER))
-            if (propertyId.equals(ACCESS_EXTERNAL_DTD))
+        {
-            {
+            XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
-                fAccessExternalDTD = (String)value;
+            fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
-            }
         }
 
     } // setProperty(String,Object)

jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java

@@ -31,6 +31,7 @@ import com.sun.org.apache.xerces.internal.util.*;
 import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
@@ -166,8 +167,9 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
     protected static final String PARSER_SETTINGS =
         Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
 
-    /** property identifier: access external dtd. */
+    /** Property identifier: Security property manager. */
-    protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
 
     /** access external dtd: file protocol */
     static final String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
@@ -203,7 +205,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
                 VALIDATION_MANAGER,
                 BUFFER_SIZE,
                 SECURITY_MANAGER,
-                ACCESS_EXTERNAL_DTD
+                XML_SECURITY_PROPERTY_MANAGER
     };
 
     /** Property defaults. */
@@ -214,7 +216,7 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
                 null,
                 new Integer(DEFAULT_BUFFER_SIZE),
                 null,
-                EXTERNAL_ACCESS_DEFAULT
+                null
     };
 
     private static final String XMLEntity = "[xml]".intern();
@@ -1421,7 +1423,8 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         fLoadExternalDTD = !((Boolean)propertyManager.getProperty(Constants.ZEPHYR_PROPERTY_PREFIX + Constants.IGNORE_EXTERNAL_DTD)).booleanValue();
 
         // JAXP 1.5 feature
-        fAccessExternalDTD = (String) propertyManager.getProperty(ACCESS_EXTERNAL_DTD);
+        XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) propertyManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+        fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
 
         // initialize state
         //fStandalone = false;
@@ -1485,7 +1488,11 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
 
         // JAXP 1.5 feature
-        fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
+        XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager) componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER, null);
+        if (spm == null) {
+            spm = new XMLSecurityPropertyManager();
+        }
+        fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
 
         //reset general state
         reset();
@@ -1641,11 +1648,10 @@ public class XMLEntityManager implements XMLComponent, XMLEntityResolver {
         }
 
         //JAXP 1.5 properties
-        if (propertyId.startsWith(Constants.JAXPAPI_PROPERTY_PREFIX)) {
+        if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER))
-            if (propertyId.equals(ACCESS_EXTERNAL_DTD))
+        {
-            {
+            XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)value;
-                fAccessExternalDTD = (String)value;
+            fAccessExternalDTD = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
-            }
         }
     }
 

jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaLoader.java

@@ -54,6 +54,7 @@ import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -218,6 +219,10 @@ XSLoader, DOMConfiguration {
     protected static final String ENTITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.ENTITY_MANAGER_PROPERTY;
 
+    /** Property identifier: Security property manager. */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
+
     /** Property identifier: access to external dtd */
     public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
 
@@ -238,8 +243,7 @@ XSLoader, DOMConfiguration {
         SECURITY_MANAGER,
         LOCALE,
         SCHEMA_DV_FACTORY,
-        ACCESS_EXTERNAL_DTD,
+        XML_SECURITY_PROPERTY_MANAGER
-        ACCESS_EXTERNAL_SCHEMA
     };
 
     // Data
@@ -270,7 +274,6 @@ XSLoader, DOMConfiguration {
     private final CMNodeFactory fNodeFactory = new CMNodeFactory(); //component mgr will be set later
     private CMBuilder fCMBuilder;
     private XSDDescription fXSDDescription = new XSDDescription();
-    private String faccessExternalDTD = Constants.EXTERNAL_ACCESS_DEFAULT;
     private String faccessExternalSchema = Constants.EXTERNAL_ACCESS_DEFAULT;
 
     private Map fJAXPCache;
@@ -466,11 +469,9 @@ XSLoader, DOMConfiguration {
                 fErrorReporter.putMessageFormatter(XSMessageFormatter.SCHEMA_DOMAIN, new XSMessageFormatter());
             }
         }
-        else if (propertyId.equals(ACCESS_EXTERNAL_DTD)) {
+        else if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) {
-            faccessExternalDTD = (String) state;
+            XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)state;
-        }
+            faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
-        else if (propertyId.equals(ACCESS_EXTERNAL_SCHEMA)) {
-            faccessExternalSchema = (String) state;
         }
     } // setProperty(String, Object)
 
@@ -1066,8 +1067,8 @@ XSLoader, DOMConfiguration {
         fSchemaHandler.setGenerateSyntheticAnnotations(componentManager.getFeature(GENERATE_SYNTHETIC_ANNOTATIONS, false));
         fSchemaHandler.reset(componentManager);
 
-        faccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD);
+        XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
-        faccessExternalSchema = (String) componentManager.getProperty(ACCESS_EXTERNAL_SCHEMA);
+        faccessExternalSchema = spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
     }
 
     private void initGrammarBucket(){

jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/XMLSchemaValidator.java

@@ -233,11 +233,9 @@ public class XMLSchemaValidator
     protected static final String SCHEMA_DV_FACTORY =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
 
-    /** property identifier: access external dtd. */
+    /** Property identifier: Security property manager. */
-    private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
-
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
-    /** Property identifier: access to external schema */
-    private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     protected static final String USE_SERVICE_MECHANISM = Constants.ORACLE_FEATURE_SERVICE_MECHANISM;
 
@@ -297,8 +295,7 @@ public class XMLSchemaValidator
             JAXP_SCHEMA_SOURCE,
             JAXP_SCHEMA_LANGUAGE,
             SCHEMA_DV_FACTORY,
-            ACCESS_EXTERNAL_DTD,
+            XML_SECURITY_PROPERTY_MANAGER
-            ACCESS_EXTERNAL_SCHEMA
             };
 
     /** Property defaults. */

jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java

@@ -78,6 +78,7 @@ import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -112,6 +113,7 @@ import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.SAXParseException;
 import org.xml.sax.XMLReader;
 import org.xml.sax.helpers.XMLReaderFactory;
@@ -223,11 +225,9 @@ public class XSDHandler {
     protected static final String LOCALE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
 
-    /** property identifier: access external dtd. */
+        /** Property identifier: Security property manager. */
-    public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
-
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
-    /** Property identifier: access to external schema */
-    public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     protected static final boolean DEBUG_NODE_POOL = false;
 
@@ -260,6 +260,7 @@ public class XSDHandler {
     protected SecurityManager fSecureProcessing = null;
 
     private String fAccessExternalSchema;
+    private String fAccessExternalDTD;
 
     // These tables correspond to the symbol spaces defined in the
     // spec.
@@ -2249,6 +2250,13 @@ public class XSDHandler {
                         }
                     }
                     catch (SAXException se) {}
+
+                    try {
+                        parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, fAccessExternalDTD);
+                    } catch (SAXNotRecognizedException exc) {
+                        System.err.println("Warning: " + parser.getClass().getName() + ": " +
+                                exc.getMessage());
+                    }
                 }
                 // If XML names and Namespace URIs are already internalized we
                 // can avoid running them through the SymbolTable.
@@ -3580,11 +3588,17 @@ public class XSDHandler {
         } catch (XMLConfigurationException e) {
         }
 
-        //For Schema validation, the secure feature is set to true by default
+        XMLSecurityPropertyManager securityPropertyMgr = (XMLSecurityPropertyManager)
-        fSchemaParser.setProperty(ACCESS_EXTERNAL_DTD,
+                componentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
-                componentManager.getProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT));
+        //Passing on the setting to the parser
-        fAccessExternalSchema = (String) componentManager.getProperty(
+        fSchemaParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, securityPropertyMgr);
-                ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
+
+        fAccessExternalDTD = securityPropertyMgr.getValue(
+                XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD);
+
+        fAccessExternalSchema = securityPropertyMgr.getValue(
+                XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA);
+
     } // reset(XMLComponentManager)
 
 

jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java

@@ -37,6 +37,9 @@ import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.parsers.DOMParser;
 import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.Property;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager.State;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -97,12 +100,17 @@ public class DocumentBuilderImpl extends DocumentBuilder
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
+    /** Property identifier: Security property manager. */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
+
     /** property identifier: access external dtd. */
     public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
 
     /** Property identifier: access to external schema */
     public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
+
     private final DOMParser domParser;
     private final Schema grammar;
 
@@ -117,6 +125,8 @@ public class DocumentBuilderImpl extends DocumentBuilder
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
     DocumentBuilderImpl(DocumentBuilderFactoryImpl dbf, Hashtable dbfAttrs, Hashtable features)
         throws SAXNotRecognizedException, SAXNotSupportedException {
         this(dbf, dbfAttrs, features, false);
@@ -160,23 +170,27 @@ public class DocumentBuilderImpl extends DocumentBuilder
             domParser.setFeature(XINCLUDE_FEATURE, true);
         }
 
+        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+        domParser.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+
         // If the secure processing feature is on set a security manager.
         if (secureProcessing) {
             domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
 
             /**
-             * By default, secure processing is set, no external access is allowed.
+             * If secure processing is explicitly set on the factory, the
-             * However, we need to check if it is actively set on the factory since we
+             * access properties will be set unless the corresponding
-             * allow the use of the System Property or jaxp.properties to override
+             * System Properties or jaxp.properties are set
-             * the default value
              */
             if (features != null) {
                 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
                 if (temp != null) {
                     boolean value = ((Boolean) temp).booleanValue();
-                    if (value) {
+                    if (value && Constants.IS_JDK8_OR_ABOVE) {
-                        domParser.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                        fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_DTD,
-                        domParser.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                                State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                        fSecurityPropertyMgr.setValue(Property.ACCESS_EXTERNAL_SCHEMA,
+                                State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                     }
                 }
             }
@@ -220,7 +234,7 @@ public class DocumentBuilderImpl extends DocumentBuilder
             setFeatures(features);
         }
 
-        // Set attributes
+        //setAttribute override those that may be set by other means
         setDocumentBuilderFactoryAttributes(dbfAttrs);
 
         // Initial EntityResolver
@@ -275,26 +289,32 @@ public class DocumentBuilderImpl extends DocumentBuilder
                             // spec when schema validation is enabled
                             domParser.setProperty(JAXP_SCHEMA_LANGUAGE, W3C_XML_SCHEMA);
                         }
-                    }
+                     }
-                        } else if(JAXP_SCHEMA_SOURCE.equals(name)){
+                 } else if(JAXP_SCHEMA_SOURCE.equals(name)){
-                        if( isValidating() ) {
+                    if( isValidating() ) {
-                                                String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
+                        String value=(String)dbfAttrs.get(JAXP_SCHEMA_LANGUAGE);
-                                                if(value !=null && W3C_XML_SCHEMA.equals(value)){
+                        if(value !=null && W3C_XML_SCHEMA.equals(value)){
-                                        domParser.setProperty(name, val);
+                            domParser.setProperty(name, val);
-                                                }else{
+                        }else{
                             throw new IllegalArgumentException(
                                 DOMMessageFormatter.formatMessage(DOMMessageFormatter.DOM_DOMAIN,
                                 "jaxp-order-not-supported",
                                 new Object[] {JAXP_SCHEMA_LANGUAGE, JAXP_SCHEMA_SOURCE}));
-                                                }
-                                        }
-                } else {
-                    // Let Xerces code handle the property
-                    domParser.setProperty(name, val);
-                                }
                         }
-                }
+                     }
+                  } else {
+                    int index = fSecurityPropertyMgr.getIndex(name);
+                    if (index > -1) {
+                        fSecurityPropertyMgr.setValue(index,
+                                XMLSecurityPropertyManager.State.APIPROPERTY, (String)val);
+                    } else {
+                        // Let Xerces code handle the property
+                        domParser.setProperty(name, val);
+                    }
+                  }
+             }
         }
+    }
 
     /**
      * Non-preferred: use the getDOMImplementation() method instead of this

jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java

@@ -36,6 +36,7 @@ import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -92,11 +93,9 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
-    /** property identifier: access external dtd. */
+    /** Property identifier: Security property manager. */
-    public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
-
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
-    /** Property identifier: access to external schema */
-    public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     private final JAXPSAXParser xmlReader;
     private String schemaLanguage = null;     // null means DTD
@@ -113,6 +112,8 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
     /** Initial EntityResolver */
     private final EntityResolver fInitEntityResolver;
 
+    private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
     /**
      * Create a SAX parser with the associated features
      * @param features Hashtable of SAX features, may be null
@@ -149,6 +150,9 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
             xmlReader.setFeature0(XINCLUDE_FEATURE, true);
         }
 
+        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
+        xmlReader.setProperty0(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+
         // If the secure processing feature is on set a security manager.
         if (secureProcessing) {
             xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
@@ -162,9 +166,12 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
                 Object temp = features.get(XMLConstants.FEATURE_SECURE_PROCESSING);
                 if (temp != null) {
                     boolean value = ((Boolean) temp).booleanValue();
-                    if (value) {
+                    if (value && Constants.IS_JDK8_OR_ABOVE) {
-                        xmlReader.setProperty0(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                        fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
-                        xmlReader.setProperty0(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                                XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                        fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
+                                XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+
                     }
                 }
             }
@@ -530,14 +537,21 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
                     return;
                 }
             }
-            if (!fInitProperties.containsKey(name)) {
-                fInitProperties.put(name, super.getProperty(name));
-            }
             /** Forward property to the schema validator if there is one. **/
             if (fSAXParser != null && fSAXParser.fSchemaValidator != null) {
                 setSchemaValidatorProperty(name, value);
             }
-            super.setProperty(name, value);
+            /** Check to see if the property is managed by the property manager **/
+            int index = fSAXParser.fSecurityPropertyMgr.getIndex(name);
+            if (index > -1) {
+                fSAXParser.fSecurityPropertyMgr.setValue(index,
+                        XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+            } else {
+                if (!fInitProperties.containsKey(name)) {
+                    fInitProperties.put(name, super.getProperty(name));
+                }
+                super.setProperty(name, value);
+            }
         }
 
         public synchronized Object getProperty(String name)
@@ -550,6 +564,11 @@ public class SAXParserImpl extends javax.xml.parsers.SAXParser
                 // JAXP 1.2 support
                 return fSAXParser.schemaLanguage;
             }
+            int index = fSAXParser.fSecurityPropertyMgr.getIndex(name);
+            if (index > -1) {
+                return fSAXParser.fSecurityPropertyMgr.getValueByIndex(index);
+            }
+
             return super.getProperty(name);
         }
 

jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java

@@ -177,11 +177,11 @@ final class StreamValidatorHelper implements ValidatorHelper {
         }
         config.setProperty(SYMBOL_TABLE, fComponentManager.getProperty(SYMBOL_TABLE));
         config.setProperty(VALIDATION_MANAGER, fComponentManager.getProperty(VALIDATION_MANAGER));
-        config.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
-                fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
         config.setDocumentHandler(fSchemaValidator);
         config.setDTDHandler(null);
         config.setDTDContentModelHandler(null);
+        config.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER,
+                fComponentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER));
         fConfiguration = new SoftReference(config);
         return config;
     }

jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java

@@ -53,6 +53,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -134,6 +135,10 @@ final class ValidatorHandlerImpl extends ValidatorHandler implements
     private static final String VALIDATION_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.VALIDATION_MANAGER_PROPERTY;
 
+    /** Property identifier: Security property manager. */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
+
     //
     // Data
     //
@@ -686,8 +691,10 @@ final class ValidatorHandlerImpl extends ValidatorHandler implements
                                catch (SAXException exc) {}
                            }
                            try {
+                               XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+                                       fComponentManager.getProperty(XML_SECURITY_PROPERTY_MANAGER);
                                reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,
-                                      fComponentManager.getProperty(XMLConstants.ACCESS_EXTERNAL_DTD));
+                                       spm.getValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD));
                            } catch (SAXException exc) {
                                System.err.println("Warning: " + reader.getClass().getName() + ": " +
                                       exc.getMessage());

jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java

@@ -45,7 +45,7 @@ import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -83,11 +83,10 @@ public final class XMLSchemaFactory extends SchemaFactory {
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
-    /** property identifier: access external dtd. */
+    /** Property identifier: Security property manager. */
-    public static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
 
-    /** Property identifier: access to external schema  */
-    public static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     //
     // Data
@@ -111,6 +110,9 @@ public final class XMLSchemaFactory extends SchemaFactory {
     /** The SecurityManager. */
     private SecurityManager fSecurityManager;
 
+    /** The Security property manager. */
+    private XMLSecurityPropertyManager fSecurityPropertyMgr;
+
     /** The container for the real grammar pool. */
     private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper;
 
@@ -120,6 +122,8 @@ public final class XMLSchemaFactory extends SchemaFactory {
      * Note the default value (false) is the safe option..
      */
     private final boolean fUseServicesMechanism;
+
+
     public XMLSchemaFactory() {
         this(true);
     }
@@ -140,13 +144,9 @@ public final class XMLSchemaFactory extends SchemaFactory {
         fSecurityManager = new SecurityManager();
         fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
 
-        //by default, the secure feature is set to true, otherwise the default would have been 'file'
+        fSecurityPropertyMgr = new XMLSecurityPropertyManager();
-        String accessExternal = SecuritySupport.getDefaultAccessProperty(
+        fXMLSchemaLoader.setProperty(XML_SECURITY_PROPERTY_MANAGER,
-                Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
+                fSecurityPropertyMgr);
-        fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, accessExternal);
-        accessExternal = SecuritySupport.getDefaultAccessProperty(
-                Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
-        fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, accessExternal);
     }
 
     /**
@@ -282,6 +282,7 @@ public final class XMLSchemaFactory extends SchemaFactory {
             schema = new EmptyXMLSchema();
         }
         propagateFeatures(schema);
+        propagateProperties(schema);
         return schema;
     }
 
@@ -366,8 +367,13 @@ public final class XMLSchemaFactory extends SchemaFactory {
             }
             if (value) {
                 fSecurityManager = new SecurityManager();
-                fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+
-                fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                if (Constants.IS_JDK8_OR_ABOVE) {
+                    fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
+                            XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                    fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
+                            XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                }
             } else {
                 fSecurityManager = null;
             }
@@ -414,7 +420,13 @@ public final class XMLSchemaFactory extends SchemaFactory {
                     "property-not-supported", new Object [] {name}));
         }
         try {
-            fXMLSchemaLoader.setProperty(name, object);
+            int index = fSecurityPropertyMgr.getIndex(name);
+            if (index > -1) {
+                fSecurityPropertyMgr.setValue(index,
+                        XMLSecurityPropertyManager.State.APIPROPERTY, (String)object);
+            } else {
+                fXMLSchemaLoader.setProperty(name, object);
+            }
         }
         catch (XMLConfigurationException e) {
             String identifier = e.getIdentifier();

jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java

@@ -42,6 +42,7 @@ import com.sun.org.apache.xerces.internal.util.PropertyState;
 import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -107,6 +108,10 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
+    /** Property identifier: security property manager. */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
+
     /** Property identifier: symbol table. */
     private static final String SYMBOL_TABLE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SYMBOL_TABLE_PROPERTY;
@@ -123,12 +128,6 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
     private static final String LOCALE =
         Constants.XERCES_PROPERTY_PREFIX + Constants.LOCALE_PROPERTY;
 
-    /** property identifier: access external dtd. */
-    private static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
-
-    /** Property identifier: access to external schema  */
-    private static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
-
     //
     // Data
     //
@@ -184,6 +183,9 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
     /** Stores the initial security manager. */
     private final SecurityManager fInitSecurityManager;
 
+    /** Stores the initial security property manager. */
+    private final XMLSecurityPropertyManager fSecurityPropertyMgr;
+
     //
     // User Objects
     //
@@ -250,8 +252,9 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
         fComponents.put(SECURITY_MANAGER, fInitSecurityManager);
 
         //pass on properties set on SchemaFactory
-        setProperty(ACCESS_EXTERNAL_DTD, grammarContainer.getProperty(ACCESS_EXTERNAL_DTD));
+        fSecurityPropertyMgr = (XMLSecurityPropertyManager)
-        setProperty(ACCESS_EXTERNAL_SCHEMA, grammarContainer.getProperty(ACCESS_EXTERNAL_SCHEMA));
+                grammarContainer.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER);
+        setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
     }
 
     /**
@@ -309,6 +312,15 @@ final class XMLSchemaValidatorComponentManager extends ParserConfigurationSettin
                 throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
             }
             setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+
+            if (value && Constants.IS_JDK8_OR_ABOVE) {
+                fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_DTD,
+                        XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                fSecurityPropertyMgr.setValue(XMLSecurityPropertyManager.Property.ACCESS_EXTERNAL_SCHEMA,
+                        XMLSecurityPropertyManager.State.FSP, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
+                setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
+            }
+
             return;
         }
         fConfigUpdated = true;

jaxp/src/com/sun/org/apache/xerces/internal/parsers/DOMParser.java

@@ -29,6 +29,7 @@ import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
@@ -74,6 +75,10 @@ public class DOMParser
     protected static final String REPORT_WHITESPACE =
             Constants.SUN_SCHEMA_FEATURE_PREFIX + Constants.SUN_REPORT_IGNORED_ELEMENT_CONTENT_WHITESPACE;
 
+    /** Property identifier: Security property manager. */
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
+
     // recognized features:
     private static final String[] RECOGNIZED_FEATURES = {
         REPORT_WHITESPACE
@@ -579,6 +584,13 @@ public class DOMParser
        }
 
         try {
+            XMLSecurityPropertyManager spm = (XMLSecurityPropertyManager)
+                    fConfiguration.getProperty(XML_SECURITY_PROPERTY_MANAGER);
+            int index = spm.getIndex(propertyId);
+            if (index > -1) {
+                return spm.getValueByIndex(index);
+            }
+
             return fConfiguration.getProperty(propertyId);
         }
         catch (XMLConfigurationException e) {

jaxp/src/com/sun/org/apache/xerces/internal/parsers/SAXParser.java

@@ -22,8 +22,11 @@ package com.sun.org.apache.xerces.internal.parsers;
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 
 /**
  * This is the main Xerces SAX parser class. It uses the abstract SAX
@@ -120,4 +123,24 @@ public class SAXParser
 
     } // <init>(SymbolTable,XMLGrammarPool)
 
+    /**
+     * Sets the particular property in the underlying implementation of
+     * org.xml.sax.XMLReader.
+     */
+    public void setProperty(String name, Object value)
+        throws SAXNotRecognizedException, SAXNotSupportedException {
+        XMLSecurityPropertyManager spm = new XMLSecurityPropertyManager();
+        int index = spm.getIndex(name);
+        if (index > -1) {
+            /**
+             * this is a direct call to this parser, not a subclass since
+             * internally the support of this property is done through
+             * XMLSecurityPropertyManager
+             */
+            spm.setValue(index, XMLSecurityPropertyManager.State.APIPROPERTY, (String)value);
+            super.setProperty(Constants.XML_SECURITY_PROPERTY_MANAGER, spm);
+        } else {
+            super.setProperty(name, value);
+        }
+    }
 } // class SAXParser

jaxp/src/com/sun/org/apache/xerces/internal/parsers/XML11Configuration.java

@@ -20,12 +20,10 @@
 
 package com.sun.org.apache.xerces.internal.parsers;
 
-import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.Locale;
-import java.util.Properties;
 import javax.xml.XMLConstants;
 
 import com.sun.org.apache.xerces.internal.impl.Constants;
@@ -53,9 +51,8 @@ import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.FeatureState;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDContentModelHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDTDHandler;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
@@ -278,11 +275,10 @@ public class XML11Configuration extends ParserConfigurationSettings
     protected static final String SCHEMA_DV_FACTORY =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SCHEMA_DV_FACTORY_PROPERTY;
 
-    /** Property identifier: access to external dtd */
+    /** Property identifier: Security property manager. */
-    protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    private static final String XML_SECURITY_PROPERTY_MANAGER =
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
 
-    /** Property identifier: access to external schema */
-    protected static final String ACCESS_EXTERNAL_SCHEMA = XMLConstants.ACCESS_EXTERNAL_SCHEMA;
 
     // debugging
 
@@ -535,8 +531,7 @@ public class XML11Configuration extends ParserConfigurationSettings
                 SCHEMA_NONS_LOCATION,
                 LOCALE,
                 SCHEMA_DV_FACTORY,
-                ACCESS_EXTERNAL_DTD,
+                XML_SECURITY_PROPERTY_MANAGER
-                ACCESS_EXTERNAL_SCHEMA
         };
         addRecognizedProperties(recognizedProperties);
 
@@ -584,14 +579,7 @@ public class XML11Configuration extends ParserConfigurationSettings
 
         fVersionDetector = new XMLVersionDetector();
 
-        //FEATURE_SECURE_PROCESSING is true, see the feature above
+        fProperties.put(XML_SECURITY_PROPERTY_MANAGER, new XMLSecurityPropertyManager());
-        String accessExternal =  SecuritySupport.getDefaultAccessProperty(
-                Constants.SP_ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT);
-        fProperties.put(ACCESS_EXTERNAL_DTD, accessExternal);
-
-        accessExternal =  SecuritySupport.getDefaultAccessProperty(
-                Constants.SP_ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT);
-        fProperties.put(ACCESS_EXTERNAL_SCHEMA, accessExternal);
 
         // add message formatters
         if (fErrorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {

jaxp/src/com/sun/org/apache/xerces/internal/utils/SecuritySupport.java

@@ -223,7 +223,8 @@ public final class SecuritySupport {
      * @return the name of the protocol if rejected, null otherwise
      */
     public static String checkAccess(String systemId, String allowedProtocols, String accessAny) throws IOException {
-        if (systemId == null || allowedProtocols.equalsIgnoreCase(accessAny)) {
+        if (systemId == null || (allowedProtocols != null &&
+                allowedProtocols.equalsIgnoreCase(accessAny))) {
             return null;
         }
 
@@ -256,6 +257,9 @@ public final class SecuritySupport {
      * @return true if the protocol is in the list
      */
     private static boolean isProtocolAllowed(String protocol, String allowedProtocols) {
+         if (allowedProtocols == null) {
+             return false;
+         }
          String temp[] = allowedProtocols.split(",");
          for (String t : temp) {
              t = t.trim();
@@ -267,18 +271,16 @@ public final class SecuritySupport {
      }
 
     /**
-     * Read from $java.home/lib/jaxp.properties for the specified property
+     * Read JAXP system property in this order: system property,
+     * $java.home/lib/jaxp.properties if the system property is not specified
      *
      * @param propertyId the Id of the property
      * @return the value of the property
      */
-    public static String getDefaultAccessProperty(String sysPropertyId, String defaultVal) {
+    public static String getJAXPSystemProperty(String sysPropertyId) {
-        String accessExternal = SecuritySupport.getSystemProperty(sysPropertyId);
+        String accessExternal = getSystemProperty(sysPropertyId);
         if (accessExternal == null) {
             accessExternal = readJAXPProperty(sysPropertyId);
-            if (accessExternal == null) {
-                accessExternal = defaultVal;
-            }
         }
         return accessExternal;
     }

jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityPropertyManager.java

@@ -0,0 +1,190 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+import javax.xml.XMLConstants;
+
+/**
+ * This class manages security related properties
+ *
+ */
+public final class XMLSecurityPropertyManager {
+
+    /**
+     * States of the settings of a property, in the order: default value, value
+     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+     * properties, and jaxp api properties
+     */
+    public static enum State {
+        //this order reflects the overriding order
+        DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+    }
+
+    /**
+     * Limits managed by the security manager
+     */
+    public static enum Property {
+        ACCESS_EXTERNAL_DTD(XMLConstants.ACCESS_EXTERNAL_DTD,
+                Constants.EXTERNAL_ACCESS_DEFAULT),
+        ACCESS_EXTERNAL_SCHEMA(XMLConstants.ACCESS_EXTERNAL_SCHEMA,
+                Constants.EXTERNAL_ACCESS_DEFAULT);
+
+        final String name;
+        final String defaultValue;
+
+        Property(String name, String value) {
+            this.name = name;
+            this.defaultValue = value;
+        }
+
+        public boolean equalsName(String propertyName) {
+            return (propertyName == null) ? false : name.equals(propertyName);
+        }
+
+        String defaultValue() {
+            return defaultValue;
+        }
+    }
+
+    /**
+     * Values of the properties as defined in enum Properties
+     */
+    private final String[] values;
+    /**
+     * States of the settings for each property in Properties above
+     */
+    private State[] states = {State.DEFAULT, State.DEFAULT};
+
+    /**
+     * Default constructor. Establishes default values
+     */
+    public XMLSecurityPropertyManager() {
+        values = new String[Property.values().length];
+        for (Property property : Property.values()) {
+            values[property.ordinal()] = property.defaultValue();
+        }
+        //read system properties or jaxp.properties
+        readSystemProperties();
+    }
+
+    /**
+     * Set the value for a specific property.
+     *
+     * @param property the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setValue(Property property, State state, String value) {
+        //only update if it shall override
+        if (state.compareTo(states[property.ordinal()]) >= 0) {
+            values[property.ordinal()] = value;
+            states[property.ordinal()] = state;
+        }
+    }
+
+    /**
+     * Set the value of a property by its index
+     * @param index the index of the property
+     * @param state the state of the property
+     * @param value the value of the property
+     */
+    public void setValue(int index, State state, String value) {
+        //only update if it shall override
+        if (state.compareTo(states[index]) >= 0) {
+            values[index] = value;
+            states[index] = state;
+        }
+    }
+    /**
+     * Return the value of the specified property
+     *
+     * @param property the property
+     * @return the value of the property
+     */
+    public String getValue(Property property) {
+        return values[property.ordinal()];
+    }
+
+    /**
+     * Return the value of a property by its ordinal
+     * @param index the index of a property
+     * @return value of a property
+     */
+    public String getValueByIndex(int index) {
+        return values[index];
+    }
+
+    /**
+     * Get the index by property name
+     * @param propertyName property name
+     * @return the index of the property if found; return -1 if not
+     */
+    public int getIndex(String propertyName){
+        for (Property property : Property.values()) {
+            if (property.equalsName(propertyName)) {
+                //internally, ordinal is used as index
+                return property.ordinal();
+            }
+        }
+        return -1;
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     */
+    private void readSystemProperties() {
+        getSystemProperty(Property.ACCESS_EXTERNAL_DTD,
+                Constants.SP_ACCESS_EXTERNAL_DTD);
+        getSystemProperty(Property.ACCESS_EXTERNAL_SCHEMA,
+                Constants.SP_ACCESS_EXTERNAL_SCHEMA);
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     *
+     * @param property the property
+     * @param systemProperty the name of the system property
+     */
+    private void getSystemProperty(Property property, String systemProperty) {
+        try {
+            String value = SecuritySupport.getSystemProperty(systemProperty);
+            if (value != null) {
+                values[property.ordinal()] = value;
+                states[property.ordinal()] = State.SYSTEMPROPERTY;
+                return;
+            }
+
+            value = SecuritySupport.readJAXPProperty(systemProperty);
+            if (value != null) {
+                values[property.ordinal()] = value;
+                states[property.ordinal()] = State.JAXPDOTPROPERTIES;
+            }
+        } catch (NumberFormatException e) {
+            //invalid setting ignored
+        }
+    }
+}

jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java

@@ -68,6 +68,7 @@ import com.sun.org.apache.xerces.internal.xni.parser.XMLParserConfiguration;
 import com.sun.org.apache.xerces.internal.xpointer.XPointerHandler;
 import com.sun.org.apache.xerces.internal.xpointer.XPointerProcessor;
 import com.sun.org.apache.xerces.internal.utils.ObjectFactory;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityPropertyManager;
 import java.util.Objects;
 
 /**
@@ -231,13 +232,9 @@ public class XIncludeHandler
     protected static final String PARSER_SETTINGS =
         Constants.XERCES_FEATURE_PREFIX + Constants.PARSER_SETTINGS;
 
-    /** property identifier: access external dtd. */
+    /** property identifier: XML security property manager. */
-    protected static final String ACCESS_EXTERNAL_DTD = XMLConstants.ACCESS_EXTERNAL_DTD;
+    protected static final String XML_SECURITY_PROPERTY_MANAGER =
-
+            Constants.XML_SECURITY_PROPERTY_MANAGER;
-    /** access external dtd: file protocol
-     *  For DOM/SAX, the secure feature is set to true by default
-     */
-    final static String EXTERNAL_ACCESS_DEFAULT = Constants.EXTERNAL_ACCESS_DEFAULT;
 
     /** Recognized features. */
     private static final String[] RECOGNIZED_FEATURES =
@@ -293,12 +290,7 @@ public class XIncludeHandler
     protected XMLErrorReporter fErrorReporter;
     protected XMLEntityResolver fEntityResolver;
     protected SecurityManager fSecurityManager;
-    /**
+    protected XMLSecurityPropertyManager fSecurityPropertyMgr;
-     * comma-delimited list of protocols that are allowed for the purpose
-     * of accessing external dtd or entity references
-     */
-    protected String fAccessExternalDTD = EXTERNAL_ACCESS_DEFAULT;
-
 
     // these are needed for text include processing
     protected XIncludeTextReader fXInclude10TextReader;
@@ -540,7 +532,8 @@ public class XIncludeHandler
             fSecurityManager = null;
         }
 
-        fAccessExternalDTD = (String)componentManager.getProperty(ACCESS_EXTERNAL_DTD);
+        fSecurityPropertyMgr = (XMLSecurityPropertyManager)
+                componentManager.getProperty(Constants.XML_SECURITY_PROPERTY_MANAGER);
 
         // Get buffer size.
         try {
@@ -687,11 +680,13 @@ public class XIncludeHandler
             }
             return;
         }
-        if (propertyId.equals(ACCESS_EXTERNAL_DTD)) {
+        if (propertyId.equals(XML_SECURITY_PROPERTY_MANAGER)) {
-            fAccessExternalDTD = (String)value;
+            fSecurityPropertyMgr = (XMLSecurityPropertyManager)value;
+
             if (fChildConfig != null) {
-                fChildConfig.setProperty(propertyId, value);
+                fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, value);
             }
+
             return;
         }
 
@@ -1652,7 +1647,7 @@ public class XIncludeHandler
                 if (fErrorReporter != null) fChildConfig.setProperty(ERROR_REPORTER, fErrorReporter);
                 if (fEntityResolver != null) fChildConfig.setProperty(ENTITY_RESOLVER, fEntityResolver);
                 fChildConfig.setProperty(SECURITY_MANAGER, fSecurityManager);
-                fChildConfig.setProperty(ACCESS_EXTERNAL_DTD, fAccessExternalDTD);
+                fChildConfig.setProperty(XML_SECURITY_PROPERTY_MANAGER, fSecurityPropertyMgr);
                 fChildConfig.setProperty(BUFFER_SIZE, new Integer(fBufferSize));
 
                 // features must be copied to child configuration

jaxp/src/com/sun/org/apache/xml/internal/utils/XMLReaderManager.java

@@ -140,12 +140,6 @@ public class XMLReaderManager {
                     // Try to carry on if we've got a parser that
                     // doesn't know about namespace prefixes.
                 }
-                try {
-                    reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
-                } catch (SAXException se) {
-                    System.err.println("Warning:  " + reader.getClass().getName() + ": "
-                                + se.getMessage());
-                }
             } catch (ParserConfigurationException ex) {
                 throw new SAXException(ex);
             } catch (FactoryConfigurationError ex1) {
@@ -162,6 +156,14 @@ public class XMLReaderManager {
             }
         }
 
+        try {
+            //reader is cached, but this property might have been reset
+            reader.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, _accessExternalDTD);
+        } catch (SAXException se) {
+            System.err.println("Warning:  " + reader.getClass().getName() + ": "
+                        + se.getMessage());
+        }
+
         return reader;
     }