Use the Security Manager only if available.

Closes #2

Author: carlosame

src/io/sf/carte/doc/xml/dtd/DefaultEntityResolver.java

@@ -15,11 +15,11 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
+import java.lang.reflect.Constructor;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.net.URLConnection;
 import java.nio.charset.StandardCharsets;
-import java.security.PrivilegedActionException;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -77,6 +77,8 @@ public class DefaultEntityResolver implements EntityResolver2 {
 
 	private final HashMap<String, String> systemIdToPublicId = new HashMap<String, String>(13);
 
+	private static final DTDLoader dtdLoader = createDTDLoader();
+
 	private ClassLoader loader = null;
 
 	private HashSet<String> whitelist = null;
@@ -331,7 +333,7 @@ public final InputSource resolveEntity(String name, String publicId, String base
 		String fname = systemIdToFilename.get(systemId);
 		InputSource isrc = null;
 		if (fname != null) {
-			Reader re = loadDTDfromClasspath(fname);
+			Reader re = dtdLoader.loadDTDfromClasspath(loader, fname);
 			if (re != null) {
 				isrc = new InputSource(re);
 				isrc.setPublicId(publicId);
@@ -480,17 +482,7 @@ protected URLConnection openConnection(URL url) throws IOException {
 	 */
 	protected void connect(final URLConnection con) throws IOException {
 		con.setConnectTimeout(60000);
-		try {
-			java.security.AccessController.doPrivileged(new java.security.PrivilegedExceptionAction<Void>() {
-				@Override
-				public Void run() throws IOException {
-					con.connect();
-					return null;
-				}
-			});
-		} catch (PrivilegedActionException e) {
-			throw (IOException) e.getException();
-		}
+		dtdLoader.connect(con);
 	}
 
 	/**
@@ -519,26 +511,52 @@ public void setClassLoader(ClassLoader loader) {
 		this.loader = loader;
 	}
 
-	private Reader loadDTDfromClasspath(final String dtdFilename) {
-		InputStream is = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<InputStream>() {
-			@Override
-			public InputStream run() {
-				InputStream is;
-				if (loader != null) {
-					is = loader.getResourceAsStream(dtdFilename);
-				} else {
-					is = DefaultEntityResolver.class.getResourceAsStream(dtdFilename);
-				}
-				if (is == null) {
-					is = ClassLoader.getSystemResourceAsStream(dtdFilename);
-				}
-				return is;
+	private static DTDLoader createDTDLoader() {
+		DTDLoader loader;
+		try {
+			Class<?> cl = Class.forName("io.sf.carte.doc.xml.dtd.SMDTDLoader");
+			Constructor<?> ctor = cl.getConstructor();
+			loader = (DTDLoader) ctor.newInstance();
+		} catch (Exception e) {
+			loader = new SimpleDTDLoader();
+		}
+		return loader;
+	}
+
+	abstract static class DTDLoader {
+		abstract void connect(URLConnection con) throws IOException;
+		abstract Reader loadDTDfromClasspath(ClassLoader loader, String dtdFilename);
+	}
+
+	/**
+	 * Load DTDs without a Security Manager.
+	 */
+	private static class SimpleDTDLoader extends DTDLoader {
+
+		@Override
+		void connect(final URLConnection con) throws IOException {
+			con.connect();
+		}
+
+		@Override
+		Reader loadDTDfromClasspath(final ClassLoader loader, final String dtdFilename) {
+			InputStream is;
+			if (loader != null) {
+				is = loader.getResourceAsStream(dtdFilename);
+			} else {
+				is = DefaultEntityResolver.class.getResourceAsStream(dtdFilename);
+			}
+			if (is == null) {
+				is = ClassLoader.getSystemResourceAsStream(dtdFilename);
+			}
+
+			Reader re = null;
+			if (is != null) {
+				re = new InputStreamReader(is, StandardCharsets.UTF_8);
 			}
-		});
-		Reader re = null;
-		if (is != null) {
-			re = new InputStreamReader(is, StandardCharsets.UTF_8);
+			return re;
 		}
-		return re;
+
 	}
+
 }

src/io/sf/carte/doc/xml/dtd/SMDTDLoader.java

@@ -0,0 +1,77 @@
+/*
+
+ Copyright (c) 1998-2021, Carlos Amengual.
+
+ SPDX-License-Identifier: BSD-3-Clause
+
+ Licensed under a BSD-style License. You can find the license here:
+ https://css4j.github.io/LICENSE.txt
+
+ */
+
+package io.sf.carte.doc.xml.dtd;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.Reader;
+import java.net.URLConnection;
+import java.nio.charset.StandardCharsets;
+import java.security.PrivilegedActionException;
+
+import io.sf.carte.doc.xml.dtd.DefaultEntityResolver.DTDLoader;
+
+/**
+ * Load DTDs using the privileges granted by a {@code SecurityManager}.
+ * <p>
+ * This class uses deprecated methods.
+ * </p>
+ */
+class SMDTDLoader extends DTDLoader {
+
+	public SMDTDLoader() {
+		super();
+	}
+
+	@SuppressWarnings({ "deprecation", "removal" })
+	@Override
+	void connect(final URLConnection con) throws IOException {
+		try {
+			java.security.AccessController.doPrivileged(new java.security.PrivilegedExceptionAction<Void>() {
+				@Override
+				public Void run() throws IOException {
+					con.connect();
+					return null;
+				}
+			});
+		} catch (PrivilegedActionException e) {
+			throw (IOException) e.getException();
+		}
+	}
+
+	@Override
+	Reader loadDTDfromClasspath(final ClassLoader loader, final String dtdFilename) {
+		@SuppressWarnings({ "deprecation", "removal" })
+		InputStream is = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<InputStream>() {
+			@Override
+			public InputStream run() {
+				InputStream is;
+				if (loader != null) {
+					is = loader.getResourceAsStream(dtdFilename);
+				} else {
+					is = DefaultEntityResolver.class.getResourceAsStream(dtdFilename);
+				}
+				if (is == null) {
+					is = ClassLoader.getSystemResourceAsStream(dtdFilename);
+				}
+				return is;
+			}
+		});
+		Reader re = null;
+		if (is != null) {
+			re = new InputStreamReader(is, StandardCharsets.UTF_8);
+		}
+		return re;
+	}
+
+}