Bug 779584 (SOA-1957)

Summary: parsing of pageflow requires internet connection
Product: [JBoss] JBoss Enterprise SOA Platform 4 Reporter: trev <tkirby>
Component: JBPM - within SOAAssignee: Douglas Palmer <dpalmer>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 4.3 CP02   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-1957
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 779585 (view as bug list) Environment:
Last Closed: 2011-11-02 09:46:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description trev 2010-02-18 14:21:01 UTC 
Date of First Response: 2010-04-19 20:49:20
project_key: SOA

jpdlParser has hard coded XSDs for local parsing instead of regular expression or wildcards in the file name of pageflow xsd. This causes problems for the SEAM project
Comment 1 trev 2010-02-18 14:21:29 UTC 
Link: Added: This issue depends JBPM-2774
Comment 2 Alejandro Guizar 2010-04-20 00:49:20 UTC 
jBPM loads the pageflow-2.0 schema from resource org/jboss/seam/pageflow-2.0.xsd since version 3.2.4, other schema resources can be registered with JpdlParser.addSchemaResource() - see JBPM-1707. The change proposed in http://seamframework.org/Documentation/WhyDoesDeploymentFailWithASAXException does not apply to jBPM 3.2.4 and above since we have abandoned the EntityResolver in favor of the JAXP schema source property. The motivation for this change was that jBPM does not use DTDs.

The schema source property does not lend itself to resolve the pageflow schema resource for an arbitrary version as the entity resolver does. However, the Seam proposed code has a vulnerability: it can be used to access arbitrary resources in the classpath by crafting the systemId.

if (systemId.startsWith(SEAM_NAMESPACE)) {
  String path = "org/jboss/seam/" + systemId.substring(SEAM_NAMESPACE.length());
  inputSource = new InputSource(org.jboss.seam.Seam.class.getResourceAsStream(path));
}

There are several options here.
(a) Have JpdlParser try to load any schema resources named org/jboss/seam/pageflow-2.n.xsd, n >= 0 from the classpath.
(b) Have Seam register pageflow schemas more recent than 2.0 by calling org/jboss/seam/pageflow-2.0.xsd.
(c) Introduce a configuration property jbpm.schema.resources and load only the resources specified there from the classpath.
Comment 3 (please assign to mrietvel@redhat.com) 2011-11-02 09:38:38 UTC 
Doug, 

The corresponding jBPM issue seems to have been fixed by Alejandro. Assigning to you so that you can close it when you want to. 

Thanks