Configuring XML Handling

Spin can be configured to change XML parsing, writing, and mapping settings. Spin uses JAXB and DOM to handle XML. Therefore, the XML data format uses instances of javax.xml.parsers.DocumentBuilderFactory, javax.xml.transform.TransformerFactory, and javax.xml.bind.JAXBContext that can be configured using Spin’s configuration mechanism.

For example, a custom application may provide an implementation of org.camunda.spin.spi.DataFormatConfigurator that exchanges the JAXBContext. Spin uses and caches the context to improve performance.

The data format class to register a configurator for is org.camunda.spin.impl.xml.dom.format.DomXmlDataFormat. An instance of this class provides setter methods (for the entities mentioned above) that can be used to replace the default object mapper. Refer to the JDK documentation on what configuration can be applied.

Safe XML processing

The Spin XML data format provides the following configuration properties to enable secure parsing of XML documents:

Property Description
xxe-processing Toggle the processing of External XML Entities (XXE) in an XML document. Disable to prevent XXE attacks. Default value: false
secure-processing Toggle the secure processing of an XML document. Default value: true

To provide a custom configuration, you can pass these properties in a Map, to the DataFormats.loadDataFormats(...) method, similar to the example below:

  Map<String, Object> configurationOptions = new HashMap<>();
  configurationOptions.put("xxe-processing", true);
  configurationOptions.put("secure-processing", false);

  DataFormats.loadDataFormats(classloader, configurationOptions);

On this Page: