Issues getting XML Parsing Libraries Working

I’m developing a Confluence Data Center plugin using Java and am having trouble instantiating an DocumentBuilderFactory to parse the XML storage format. When I call this from within my plugin:

DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();

I get this error:

[INFO] [talledLocalContainer] java.lang.ClassCastException: class org.apache.xerces.jaxp.DocumentBuilderFactoryImpl cannot be cast to class javax.xml.parsers.DocumentBuilderFactory (org.apache.xerces.jaxp.DocumentBuilderFactoryImpl is in unnamed module of loader org.apache.catalina.loader.ParallelWebappClassLoader @37d61cea; javax.xml.parsers.DocumentBuilderFactory is in unnamed module of loader org.apache.felix.framework.BundleWiringImpl$BundleClassLoader @4e30df9f)
[INFO] [talledLocalContainer]   at javax.xml.parsers.DocumentBuilderFactory.newInstance(Unknown Source)
<stack trace trimmed for clarity>

From what I understand this appears to be some kind of OSGi issue; the implementing class in Apache Xerces is provided by the JVM, and is present in the parent classloader, but I need to do something to make it available to my bundle’s classloader. I’ve tried a few things in the <Import-Package> section of my confluence-maven-plugin configuration instructions, but can’t seem to get it working.

Any tips? How do I get XML parsing working in a plugin?

2 Likes

Hi Kashev,

I found some interesting stuff to look at in the source code of javax.xml.parser.DocumentBuilderFactory. Apparently the class

org.apache.xerces.jaxp.DocumentBuilderFactoryImpl

is a fallback classname for when it cannot find the standard class in the JRE.

I also the authors of DocumentBuilderFactory note that you can try to troubleshoot with the following flag upon start of the plugin: -Djaxp.debug=1

Other than this, our bundle has access to this class by default without any issues.
Below is our instructions in the atlassian maven plugin descriptor in our pom:

<instructions>
  <Import-Package>
    *;version="0";resolution:=optional
  </Import-Package>
  <Atlassian-Plugin-Key>${atlassian.plugin.key}</Atlassian-Plugin-Key>
  <Atlassian-Scan-Folders>META-INF/plugin-descriptors
  </Atlassian-Scan-Folders>
  <Spring-Context>*</Spring-Context>
  <Export-Package />
</instructions>

Cheers,
Elias
Kantega SSO

2 Likes

Hello hello

When using XML libraries in Confluence ,

  1. you need to ensure their usage is secure
  2. you should use the atlassian-secure-xml dependency
<dependency>
    <groupId>com.atlassian.security</groupId>
    <artifactId>atlassian-secure-xml</artifactId>
    <version>3.2.11</version>
</dependency>
...
SecureXmlParserFactory.newDocumentBuilder();
SecureXmlParserFactory.newXmlInputFactory();
SecureXmlParserFactory.newXmlReader();

Also the plugin descriptor describe in @EliasBrattliSorensen answer should do

Here is one of my fun memories dealing with XML libraries in Confluence How we stopped vulnerable code from landing in production - Atlassian Developer Blog

Cheers
Hasnae
former Confluence person