Hide Forgot
++ This bug is a clone of bug 779584 ++ Date of First Response: 2010-04-19 20:49:20 project_key: SOA jpdlParser has hard coded XSDs for local parsing instead of regular expression or wildcards in the file name of pageflow xsd. This causes problems for the SEAM project
Link: Added: This issue depends JBPM-2774
jBPM loads the pageflow-2.0 schema from resource org/jboss/seam/pageflow-2.0.xsd since version 3.2.4, other schema resources can be registered with JpdlParser.addSchemaResource() - see JBPM-1707. The change proposed in http://seamframework.org/Documentation/WhyDoesDeploymentFailWithASAXException does not apply to jBPM 3.2.4 and above since we have abandoned the EntityResolver in favor of the JAXP schema source property. The motivation for this change was that jBPM does not use DTDs. The schema source property does not lend itself to resolve the pageflow schema resource for an arbitrary version as the entity resolver does. However, the Seam proposed code has a vulnerability: it can be used to access arbitrary resources in the classpath by crafting the systemId. if (systemId.startsWith(SEAM_NAMESPACE)) { String path = "org/jboss/seam/" + systemId.substring(SEAM_NAMESPACE.length()); inputSource = new InputSource(org.jboss.seam.Seam.class.getResourceAsStream(path)); } There are several options here. (a) Have JpdlParser try to load any schema resources named org/jboss/seam/pageflow-2.n.xsd, n >= 0 from the classpath. (b) Have Seam register pageflow schemas more recent than 2.0 by calling org/jboss/seam/pageflow-2.0.xsd. (c) Introduce a configuration property jbpm.schema.resources and load only the resources specified there from the classpath.
Doug, The corresponding jBPM issue seems to have been fixed by Alejandro. Assigning to you so that you can close it when you want to. Thanks