Bug 65326 - multiple warning log about accessExternalSchema
Summary: multiple warning log about accessExternalSchema
Status: RESOLVED FIXED
Alias: None
Product: POI
Classification: Unclassified
Component: SXSSF (show other bugs)
Version: 5.0.0-FINAL
Hardware: PC All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-24 16:01 UTC by neo.wcng
Modified: 2022-01-28 20:18 UTC (History)
2 users (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description neo.wcng 2021-05-24 16:01:35 UTC 
we migrated our custom application from POI v4.1.2 to v5.0.0,
and we are running on openjdk 11.0.10
we do not include any Xerces lib manually in the project (i.e. using the default jdk11 xml processor)

everytime it write an excel file, the following warn log will be triggered
but the output excel files seems fine in the MS Office
can this error message be ignored? or there is missing configuration?

the default jdk11 seems does not support the reuqired accessExternalSchema
https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/src/java.xml/share/classes/com/sun/org/apache/xalan/internal/utils/XMLSecurityPropertyManager.java#L42

the caller code from POI
https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/util/XMLHelper.java#L225


2021-05-24 23:52:11.891 [main] WARN  org.apache.poi.util.XMLHelper._log - SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalSchema
java.lang.IllegalArgumentException: TransformerFactory does not recognise attribute 'http://javax.xml.XMLConstants/property/accessExternalSchema'.
	at java.xml/com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:526) ~[na:na]
	at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:280) ~[poi-5.0.0.jar:5.0.0]
	at org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:222) ~[poi-5.0.0.jar:5.0.0]
	at org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:227) ~[poi-5.0.0.jar:5.0.0]
	at org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) ~[poi-ooxml-5.0.0.jar:5.0.0]
	at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:69) ~[poi-ooxml-5.0.0.jar:5.0.0]
	at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:452) ~[poi-ooxml-5.0.0.jar:5.0.0]
	at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:520) ~[poi-ooxml-5.0.0.jar:5.0.0]
	at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1514) ~[poi-ooxml-5.0.0.jar:5.0.0]
	at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) ~[poi-ooxml-5.0.0.jar:5.0.0]
	at org.apache.poi.xssf.streaming.SXSSFWorkbook.write(SXSSFWorkbook.java:965) ~[poi-ooxml-5.0.0.jar:5.0.0]
.............
Comment 1 PJ Fanning 2021-10-08 16:16:25 UTC 
this is benign - I've tried to relax the code so the logging won't happen (after v5.1.0 is released) - r1894032
Comment 2 Cody Lerum 2021-11-16 18:21:04 UTC 
I'm receiving this message still in 5.1.0 running JDK 17. Did the change to remove the logging make it in to 5.1.0? It does seem to raise every 5 minutes is this something that everyone is going to need to mute in their logging configuration?

2021-11-16 17:12:54,452 WARN  [org.apache.poi.util.XMLHelper] (default task-402) SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalDTD: java.lang.IllegalArgumentException: TransformerFactory does not recognise attribute 'http://javax.xml.XMLConstants/property/accessExternalDTD'.
        at org.apache.xalan//org.apache.xalan.xsltc.trax.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:373)
        at __redirected.__TransformerFactory.setAttribute(__TransformerFactory.java:119)
        at deployment.ROOT.war//org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284)
        at deployment.ROOT.war//org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:224)
        at deployment.ROOT.war//org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:231)
        at deployment.ROOT.war//org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56)
        at deployment.ROOT.war//org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:68)
        at deployment.ROOT.war//org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:450)
        at deployment.ROOT.war//org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554)
        at deployment.ROOT.war//org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487)
        at deployment.ROOT.war//org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227)
Comment 3 PJ Fanning 2021-11-16 19:51:49 UTC 
Cody, your stacktrace seems to indicate that you are not using poi-5.1.0.jar - that you are using an older jar.

XMLHelper line 224 does not set accessExternalSchema param in latest code.

https://github.com/apache/poi/blob/trunk/poi/src/main/java/org/apache/poi/util/XMLHelper.java#L224

If the logging upsets you, can't you change your log configuration so the XMLHelper does not emit info level logs?
Comment 4 Cody Lerum 2021-11-16 20:48:31 UTC 
PJ, Everything looks like I'm using 5.1.0 but I'm not able to easily verify the sources or debug it as https://repo1.maven.org/maven2/org/apache/poi/poi/5.1.0/poi-5.1.0-sources.jar is returning a 404

I can update the logging in my application server to only show ERROR level or higher for org.apache.poi.util.XMLHelper as it logs as a warn level in a wildfly application server.
Comment 6 Cody Lerum 2021-11-18 23:52:49 UTC 
Unfortunately it still is a 404 for me, but I suspect that is a cloudfront cache issue based on the headers.
Comment 7 Johannes Weberhofer 2021-11-23 14:03:29 UTC 
I see the issue in an Springboot 2.6, Java Java 1.8.0_312 based application. I don't see the warning using POI 5.0.0.


org.apache.poi.util.XMLHelper            : SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalDTD

java.lang.IllegalArgumentException: Nicht unterstützt: http://javax.xml.XMLConstants/property/accessExternalDTD
	at org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571) ~[xalan-2.7.2.jar:na]
	at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) [poi-5.1.0.jar:5.1.0]
	at org.apache.poi.util.XMLHelper.getTransformerFactory(XMLHelper.java:224) [poi-5.1.0.jar:5.1.0]
	at org.apache.poi.util.XMLHelper.newTransformer(XMLHelper.java:231) [poi-5.1.0.jar:5.1.0]
	at org.apache.poi.openxml4j.opc.StreamHelper.saveXmlInStream(StreamHelper.java:56) [poi-ooxml-5.1.0.jar:5.1.0]
	at org.apache.poi.openxml4j.opc.internal.ZipContentTypeManager.saveImpl(ZipContentTypeManager.java:68) [poi-ooxml-5.1.0.jar:5.1.0]
	at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:450) [poi-ooxml-5.1.0.jar:5.1.0]
	at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) [poi-ooxml-5.1.0.jar:5.1.0]
	at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) [poi-ooxml-5.1.0.jar:5.1.0]
	at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) [poi-ooxml-5.1.0.jar:5.1.0]
	at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:111) ~[spring-webmvc-5.3.13.jar:5.3.13]
	at org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBodyReturnValueHandler$StreamingResponseBodyTask.call(StreamingResponseBodyReturnValueHandler.java:98) ~[spring-webmvc-5.3.13.jar:5.3.13]
	at org.springframework.web.context.request.async.WebAsyncManager.lambda$startCallableProcessing$4(WebAsyncManager.java:337) ~[spring-web-5.3.13.jar:5.3.13]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) ~[na:1.8.0_312]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) ~[na:1.8.0_312]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_312]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_312]
	at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_312]
Comment 8 PJ Fanning 2021-11-23 19:34:52 UTC 
This issue is not about accessExternalDTD - it is about accessExternalSchema - a different property - closing
Comment 9 PJ Fanning 2021-11-23 19:36:43 UTC 
I raised https://bz.apache.org/bugzilla/show_bug.cgi?id=65700
Comment 10 Bernhard Schuhmann 2021-11-24 16:44:58 UTC 
Would like to reopen this issue as there are still warnings for accessExternalSchema - from XMLHelper.getDocumentBuilderFactory():


2021-11-24 16:09:55,799  WARN [pool-4-thread-1] (XMLHelper.java:307) - SAX Feature unsupported [log suppressed for 5 minutes]http://javax.xml.XMLConstants/property/accessExternalSchema
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized.
        at org.apache.xerces.jaxp.DocumentBuilderFactoryImpl.setAttribute(Unknown Source) ~[xerces_impl-2.12.1b.jar:?]
        at org.apache.poi.util.XMLHelper.trySet(XMLHelper.java:284) ~[poi-5.1.0.jar:5.1.0]
        at org.apache.poi.util.XMLHelper.getDocumentBuilderFactory(XMLHelper.java:114) ~[poi-5.1.0.jar:5.1.0]
        at org.apache.poi.util.XMLHelper.<clinit>(XMLHelper.java:85) ~[poi-5.1.0.jar:5.1.0]
        at org.apache.poi.ooxml.util.DocumentHelper.newDocumentBuilder(DocumentHelper.java:47) ~[poi-ooxml-5.1.0.jar:5.1.0]
        at org.apache.poi.ooxml.util.DocumentHelper.<clinit>(DocumentHelper.java:36) ~[poi-ooxml-5.1.0.jar:5.1.0]
        at org.apache.poi.openxml4j.opc.internal.ContentTypeManager.save(ContentTypeManager.java:429) ~[poi-ooxml-5.1.0.jar:5.1.0]
        at org.apache.poi.openxml4j.opc.ZipPackage.saveImpl(ZipPackage.java:554) ~[poi-ooxml-5.1.0.jar:5.1.0]
        at org.apache.poi.openxml4j.opc.OPCPackage.save(OPCPackage.java:1487) ~[poi-ooxml-5.1.0.jar:5.1.0]
        at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:227) ~[poi-ooxml-5.1.0.jar:5.1.0]
        at org.apache.poi.xssf.streaming.SXSSFWorkbook.write(SXSSFWorkbook.java:963) ~[poi-ooxml-5.1.0.jar:5.1.0]

This is with external Xerces library. Forcing POI to use the internal Xerces implementation from Java runtime yields no warnings.

We're now forcing the internal implementations of Xerces and Xalan to be used with POI to get rid of the warnings.

Maybe POI could use them directly instead of relying on what the runtime offers as default?
Comment 11 PJ Fanning 2021-11-24 16:55:59 UTC 
POI uses JAXP API - it users' responsibility to configure their JVM to use the best parsers/transformers
Comment 12 PJ Fanning 2021-11-24 16:57:12 UTC 
Using a parser/transformer that causes logging like this means that users are using sub-optimal implementations and expose themselves to security issues
Comment 13 PJ Fanning 2021-12-10 20:52:56 UTC 
I had a look at the XMLHelper and its code that logs issues at most once every 5 minutes may not be ideal. The code doesn't differentiate between events. If we log one event, then we don't log any for next 5 mins. Maybe it would be better to log once the event once and remember what we logged so we don't log it again? This would use up some memory - keeping track of all the messages we've already logged but if we're careful with the implementation, we may not use up too much.

I favour not removing logging because I think it is useful to warn users that their parser implementation does not support all the security settings.
Comment 14 PJ Fanning 2022-01-28 20:18:10 UTC 
added r1897568