Configuring XML Handling
Spin can be configured to change XML parsing, writing, and mapping settings. Spin uses JAXB and DOM to handle XML.
Therefore, the XML data format uses instances of javax.xml.parsers.DocumentBuilderFactory
,
javax.xml.transform.TransformerFactory
, and javax.xml.bind.JAXBContext
that can be configured using Spin’s
configuration mechanism.
For example, a custom application may provide an implementation of org.camunda.spin.spi.DataFormatConfigurator
that exchanges
the JAXBContext
. Spin uses and caches the context to improve performance.
The data format class to register a configurator for is org.camunda.spin.impl.xml.dom.format.DomXmlDataFormat
.
An instance of this class provides setter methods (for the entities mentioned above) that can be used to replace the
default object mapper. Refer to the JDK documentation on what
configuration can be applied.
Safe XML processing
The Spin XML data format provides the following configuration properties to enable secure parsing of XML documents:
Property | Description |
---|---|
xxe-processing |
Toggle the processing of External XML Entities (XXE) in an XML document. Disable to prevent
XXE attacks. Default value:
false
|
secure-processing |
Toggle the secure processing of an XML document.
Default value: true
|
To provide a custom configuration, you can pass these properties in a Map
, to the DataFormats.loadDataFormats(...)
method, similar to the example below:
Map<String, Object> configurationOptions = new HashMap<>();
configurationOptions.put("xxe-processing", true);
configurationOptions.put("secure-processing", false);
DataFormats.loadDataFormats(classloader, configurationOptions);