we migrated our custom application from POI v4.1.2 to v5.0.0, and we are running on openjdk 11.0.10 we do not include any Xerces lib manually in the project (i.e. using the default jdk11 xml processor) everytime it write an excel file, the following warn log will be triggered but the output excel files seems fine in the MS Office can this error message be ignored? or there is missing configuration? the default jdk11 seems does not support the reuqired accessExternalSchema https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java#L42 the caller code from POI https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/util/XMLHelper.java#L225 2021-05-24 23:52:11.891 [main] WARN org.apache.poi.util.XMLHelper._log - SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalSchema java.lang.IllegalArgumentException: TransformerFactory does not recognise attribute 'http://javax.xml.XMLConstants/property/accessExternalSchema'. at java.xml/com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:526) ~[na:na] at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:280) ~[poi-5.0.0.jar:5.0.0] at org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:222) ~[poi-5.0.0.jar:5.0.0] at org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:227) ~[poi-5.0.0.jar:5.0.0] at org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) ~[poi-ooxml-5.0.0.jar:5.0.0] at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:69) ~[poi-ooxml-5.0.0.jar:5.0.0] at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:452) ~[poi-ooxml-5.0.0.jar:5.0.0] at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:520) ~[poi-ooxml-5.0.0.jar:5.0.0] at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1514) ~[poi-ooxml-5.0.0.jar:5.0.0] at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) ~[poi-ooxml-5.0.0.jar:5.0.0] at org.apache.poi.xssf.streaming.SXSSFWorkbook.write(SXSSFWorkbook.java:965) ~[poi-ooxml-5.0.0.jar:5.0.0] .............
this is benign - I've tried to relax the code so the logging won't happen (after v5.1.0 is released) - r1894032
I'm receiving this message still in 5.1.0 running JDK 17. Did the change to remove the logging make it in to 5.1.0? It does seem to raise every 5 minutes is this something that everyone is going to need to mute in their logging configuration? 2021-11-16 17:12:54,452 WARN [org.apache.poi.util.XMLHelper] (default task-402) SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalDTD: java.lang.IllegalArgumentException: TransformerFactory does not recognise attribute 'http://javax.xml.XMLConstants/property/accessExternalDTD'. at org.apache.xalan//org.apache.xalan.xsltc.trax.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:373) at __redirected.__TransformerFactory.setAttribute(__TransformerFactory.java:119) at deployment.ROOT.war//org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) at deployment.ROOT.war//org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:224) at deployment.ROOT.war//org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:231) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:68) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:450) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) at deployment.ROOT.war//org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) at deployment.ROOT.war//org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227)
Cody, your stacktrace seems to indicate that you are not using poi-5.1.0.jar - that you are using an older jar. XMLHelper line 224 does not set accessExternalSchema param in latest code. https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/util/XMLHelper.java#L224 If the logging upsets you, can't you change your log configuration so the XMLHelper does not emit info level logs?
PJ, Everything looks like I'm using 5.1.0 but I'm not able to easily verify the sources or debug it as https://repo1.maven.org/maven2/org/apache/poi/poi/5.1.0/poi-5.1.0-sources.jar is returning a 404 I can update the logging in my application server to only show ERROR level or higher for org.apache.poi.util.XMLHelper as it logs as a warn level in a wildfly application server.
https://repo1.maven.org/maven2/org/apache/poi/poi/5.1.0/poi-5.1.0-sources.jar is working now
Unfortunately it still is a 404 for me, but I suspect that is a cloudfront cache issue based on the headers.
I see the issue in an Springboot 2.6, Java Java 1.8.0_312 based application. I don't see the warning using POI 5.0.0. org.apache.poi.util.XMLHelper : SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalDTD java.lang.IllegalArgumentException: Nicht unterstützt: http://javax.xml.XMLConstants/property/accessExternalDTD at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571) ~[xalan-2.7.2.jar:na] at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) [poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:224) [poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:231) [poi-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:68) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:450) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) [poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) [poi-ooxml-5.1.0.jar:5.1.0] at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:111) ~[spring-webmvc-5.3.13.jar:5.3.13] at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:98) ~[spring-webmvc-5.3.13.jar:5.3.13] at org.springframework.web.context.request.async.WebAsyncManager.lambda$startCallableProcessing$4(WebAsyncManager.java:337) ~[spring-web-5.3.13.jar:5.3.13] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_312] at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_312] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_312] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_312] at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_312]
This issue is not about accessExternalDTD - it is about accessExternalSchema - a different property - closing
I raised https://bz.apache.org/bugzilla/show_bug.cgi?id=65700
Would like to reopen this issue as there are still warnings for accessExternalSchema - from XMLHelper.getDocumentBuilderFactory(): 2021-11-24 16:09:55,799 WARN [pool-4-thread-1] (XMLHelper.java:307) - SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalSchema java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized. at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source) ~[xerces_impl-2.12.1b.jar:?] at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) ~[poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.getDocumentBuilderFactory(XMLHelper.java:114) ~[poi-5.1.0.jar:5.1.0] at org.apache.poi.util.XMLHelper.<clinit>(XMLHelper.java:85) ~[poi-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.util.DocumentHelper.newDocumentBuilder(DocumentHelper.java:47) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.util.DocumentHelper.<clinit>(DocumentHelper.java:36) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:429) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) ~[poi-ooxml-5.1.0.jar:5.1.0] at org.apache.poi.xssf.streaming.SXSSFWorkbook.write(SXSSFWorkbook.java:963) ~[poi-ooxml-5.1.0.jar:5.1.0] This is with external Xerces library. Forcing POI to use the internal Xerces implementation from Java runtime yields no warnings. We're now forcing the internal implementations of Xerces and Xalan to be used with POI to get rid of the warnings. Maybe POI could use them directly instead of relying on what the runtime offers as default?
POI uses JAXP API - it users' responsibility to configure their JVM to use the best parsers/transformers
Using a parser/transformer that causes logging like this means that users are using sub-optimal implementations and expose themselves to security issues
I had a look at the XMLHelper and its code that logs issues at most once every 5 minutes may not be ideal. The code doesn't differentiate between events. If we log one event, then we don't log any for next 5 mins. Maybe it would be better to log once the event once and remember what we logged so we don't log it again? This would use up some memory - keeping track of all the messages we've already logged but if we're careful with the implementation, we may not use up too much. I favour not removing logging because I think it is useful to warn users that their parser implementation does not support all the security settings.
added r1897568