Merge pull request #2300 from patriot1burke/master

KEYCLOAK-2536
This commit is contained in:
Bill Burke 2016-02-29 20:08:19 -05:00
commit 8aa0727d88
2 changed files with 15 additions and 0 deletions

View file

@ -83,6 +83,7 @@ public class UndertowSessionTokenStore implements AdapterTokenStore {
} else {
log.debug("Account was not active, returning false");
session.removeAttribute(KeycloakUndertowAccount.class.getName());
session.removeAttribute(KeycloakSecurityContext.class.getName());
session.invalidate(exchange);
return false;
}

View file

@ -27,6 +27,7 @@ import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBElement;
import javax.xml.bind.util.JAXBSource;
@ -108,6 +109,19 @@ public class TransformerUtil {
SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
}
transformerFactory = TransformerFactory.newInstance();
try {
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (TransformerConfigurationException ignored) {
// some platforms don't support this. For example our testsuite pulls Selenium which requires Xalan 2.7.1
}
try {
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
} catch (Exception ignored) {
// some platforms don't support this. For example our testsuite pulls Selenium which requires Xalan 2.7.1
}
} finally {
if (tccl_jaxp) {
SecurityActions.setTCCL(prevTCCL);