Merge pull request #2300 from patriot1burke/master

KEYCLOAK-2536

adapters/oidc/undertow/src/main/java/org/keycloak/adapters/undertow/UndertowSessionTokenStore.java

@@ -83,6 +83,7 @@ public class UndertowSessionTokenStore implements AdapterTokenStore {
         } else {
             log.debug("Account was not active, returning false");
             session.removeAttribute(KeycloakUndertowAccount.class.getName());
+            session.removeAttribute(KeycloakSecurityContext.class.getName());
             session.invalidate(exchange);
             return false;
         }

saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java

@@ -27,6 +27,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
 import javax.xml.bind.util.JAXBSource;
@@ -108,6 +109,19 @@ public class TransformerUtil {
                     SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
                 }
                 transformerFactory = TransformerFactory.newInstance();
+                try {
+                    transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                } catch (TransformerConfigurationException ignored) {
+                    // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
+                }
+                try {
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                } catch (Exception ignored) {
+                    // some platforms don't support this.   For example our testsuite pulls Selenium which requires Xalan 2.7.1
+                }
+
             } finally {
                 if (tccl_jaxp) {
                     SecurityActions.setTCCL(prevTCCL);