changeset 20964:a5cd729f176d

8017298: Better XML support Reviewed-by: alanb, dfuchs, mullan, lancea
author joehw
date Wed, 17 Jul 2013 09:31:39 -0700
parents b38e478f8c65
children 913493fcadde
files jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java jaxp/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java jaxp/src/com/sun/xml/internal/stream/Entity.java
diffstat 20 files changed, 245 insertions(+), 285 deletions(-) [+]
line wrap: on
line diff
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLDocumentFragmentScannerImpl.java	Wed Jul 17 09:31:39 2013 -0700
@@ -50,9 +50,9 @@
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.xml.internal.stream.Entity;
 import javax.xml.XMLConstants;
@@ -382,7 +382,7 @@
 
     protected boolean foundBuiltInRefs = false;
 
-    protected SecurityManager fSecurityManager = null;
+    protected XMLSecurityManager fSecurityManager = null;
 
     //skip element algorithm
     static final short MAX_DEPTH_LIMIT = 5 ;
@@ -569,8 +569,10 @@
         // xerces features
         fReportCdataEvent = componentManager.getFeature(Constants.STAX_REPORT_CDATA_EVENT, true);
 
-        fSecurityManager = (SecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null);
-        fElementAttributeLimit = (fSecurityManager != null)?fSecurityManager.getElementAttrLimit():0;
+        fSecurityManager = (XMLSecurityManager)componentManager.getProperty(Constants.SECURITY_MANAGER, null);
+        fElementAttributeLimit = (fSecurityManager != null)?
+                fSecurityManager.getLimit(XMLSecurityManager.Limit.ELEMENT_ATTRIBUTE_LIMIT):0;
+
 
         fNotifyBuiltInRefs = componentManager.getFeature(NOTIFY_BUILTIN_REFS, false);
 
@@ -951,6 +953,7 @@
 
         // scan decl
         super.scanXMLDeclOrTextDecl(scanningTextDecl, fStrings);
+
         fMarkupDepth--;
 
         // pseudo-attribute values
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java	Wed Jul 17 09:31:39 2013 -0700
@@ -28,9 +28,9 @@
 import com.sun.org.apache.xerces.internal.impl.XMLEntityHandler;
 import com.sun.org.apache.xerces.internal.impl.validation.ValidationManager;
 import com.sun.org.apache.xerces.internal.util.*;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.XMLResourceIdentifier;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
@@ -324,7 +324,7 @@
 
     // stores defaults for entity expansion limit if it has
     // been set on the configuration.
-    protected SecurityManager fSecurityManager = null;
+    protected XMLSecurityManager fSecurityManager = null;
 
     /**
      * True if the document entity is standalone. This should really
@@ -1482,7 +1482,7 @@
         fEntityResolver = (XMLEntityResolver)componentManager.getProperty(ENTITY_RESOLVER, null);
         fStaxEntityResolver = (StaxEntityResolverWrapper)componentManager.getProperty(STAX_ENTITY_RESOLVER, null);
         fValidationManager = (ValidationManager)componentManager.getProperty(VALIDATION_MANAGER, null);
-        fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
+        fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER, null);
 
         // JAXP 1.5 feature
         fAccessExternalDTD = (String) componentManager.getProperty(ACCESS_EXTERNAL_DTD, EXTERNAL_ACCESS_DEFAULT);
@@ -1499,7 +1499,9 @@
     // a class acting as a component manager but not
     // implementing that interface for whatever reason.
     public void reset() {
-        fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0;
+        fEntityExpansionLimit = (fSecurityManager != null)?
+                fSecurityManager.getLimit(XMLSecurityManager.Limit.ENTITY_EXPANSION_LIMIT):0;
+
 
         // initialize state
         fStandalone = false;
@@ -1635,8 +1637,10 @@
             }
             if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
                 propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
-                fSecurityManager = (SecurityManager)value;
-                fEntityExpansionLimit = (fSecurityManager != null)?fSecurityManager.getEntityExpansionLimit():0;
+                fSecurityManager = (XMLSecurityManager)value;
+                fEntityExpansionLimit = (fSecurityManager != null)?
+                        fSecurityManager.getLimit(XMLSecurityManager.Limit.ENTITY_EXPANSION_LIMIT):0;
+
             }
         }
 
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java	Wed Jul 17 09:31:39 2013 -0700
@@ -499,7 +499,7 @@
                             reportFatalError("SDDeclInvalid",  new Object[] {standalone});
                         }
                     } else {
-                        reportFatalError("EncodingDeclRequired", null);
+                        reportFatalError("SDDeclNameInvalid", null);
                     }
                     break;
                 }
@@ -564,7 +564,7 @@
             XMLString value)
             throws IOException, XNIException {
 
-        String name = fEntityScanner.scanName();
+        String name = scanPseudoAttributeName();
         // XMLEntityManager.print(fEntityManager.getCurrentEntity());
 
         if (name == null) {
@@ -617,6 +617,35 @@
     } // scanPseudoAttribute(XMLString):String
 
     /**
+     * Scans the name of a pseudo attribute. The only legal names
+     * in XML 1.0/1.1 documents are 'version', 'encoding' and 'standalone'.
+     *
+     * @return the name of the pseudo attribute or <code>null</code>
+     * if a legal pseudo attribute name could not be scanned.
+     */
+    private String scanPseudoAttributeName() throws IOException, XNIException {
+        final int ch = fEntityScanner.peekChar();
+        switch (ch) {
+            case 'v':
+                if (fEntityScanner.skipString(fVersionSymbol)) {
+                    return fVersionSymbol;
+                }
+                break;
+            case 'e':
+                if (fEntityScanner.skipString(fEncodingSymbol)) {
+                    return fEncodingSymbol;
+                }
+                break;
+            case 's':
+                if (fEntityScanner.skipString(fStandaloneSymbol)) {
+                    return fStandaloneSymbol;
+                }
+                break;
+        }
+        return null;
+    } // scanPseudoAttributeName()
+
+    /**
      * Scans a processing instruction.
      * <p>
      * <pre>
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/msg/XMLMessages.properties	Wed Jul 17 09:31:39 2013 -0700
@@ -44,6 +44,7 @@
         
 # 2.9 Standalone Document Declaration
         SDDeclInvalid = The standalone document declaration value must be \"yes\" or \"no\", not \"{0}\".
+        SDDeclNameInvalid = The standalone name in XML declaration may be misspelled.
 # 2.12 Language Identification
         XMLLangInvalid = The xml:lang attribute value \"{0}\" is an invalid language identifier.
 # 3. Logical Structures
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/models/CMNodeFactory.java	Wed Jul 17 09:31:39 2013 -0700
@@ -21,13 +21,13 @@
 
 package com.sun.org.apache.xerces.internal.impl.xs.models;
 
+import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
+import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
+import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager ;
-import com.sun.org.apache.xerces.internal.impl.dtd.models.CMNode;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLConfigurationException;
-import com.sun.org.apache.xerces.internal.impl.xs.XSMessageFormatter;
-import com.sun.org.apache.xerces.internal.impl.Constants;
 
 /**
  *
@@ -68,7 +68,7 @@
 
     // stores defaults for different security holes (maxOccurLimit in current context) if it has
     // been set on the configuration.
-    private SecurityManager fSecurityManager = null;
+    private XMLSecurityManager fSecurityManager = null;
 
     /** default constructor */
     public CMNodeFactory() {
@@ -77,10 +77,10 @@
     public void reset(XMLComponentManager componentManager){
         fErrorReporter = (XMLErrorReporter)componentManager.getProperty(ERROR_REPORTER);
         try {
-            fSecurityManager = (SecurityManager)componentManager.getProperty(SECURITY_MANAGER);
+            fSecurityManager = (XMLSecurityManager)componentManager.getProperty(SECURITY_MANAGER);
             //we are setting the limit of number of nodes to 3times the maxOccur value..
             if(fSecurityManager != null){
-                maxNodeLimit = fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY ;
+                maxNodeLimit = fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY ;
             }
         }
         catch (XMLConfigurationException e) {
@@ -150,8 +150,9 @@
 
             if (suffixLength == Constants.SECURITY_MANAGER_PROPERTY.length() &&
                 propertyId.endsWith(Constants.SECURITY_MANAGER_PROPERTY)) {
-                fSecurityManager = (SecurityManager)value;
-                maxNodeLimit = (fSecurityManager != null) ? fSecurityManager.getMaxOccurNodeLimit() * MULTIPLICITY : 0 ;
+                fSecurityManager = (XMLSecurityManager)value;
+                maxNodeLimit = (fSecurityManager != null) ?
+                        fSecurityManager.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT) * MULTIPLICITY : 0 ;
                 return;
             }
             if (suffixLength == Constants.ERROR_REPORTER_PROPERTY.length() &&
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSAttributeChecker.java	Wed Jul 17 09:31:39 2013 -0700
@@ -40,6 +40,7 @@
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xs.XSConstants;
 import java.util.HashMap;
@@ -1194,7 +1195,7 @@
                     if (!optimize) {
                     //Revisit :: IMO this is not right place to check
                     // maxOccurNodeLimit.
-                    int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getMaxOccurNodeLimit();
+                    int maxOccurNodeLimit = fSchemaHandler.fSecureProcessing.getLimit(XMLSecurityManager.Limit.MAX_OCCUR_NODE_LIMIT);
                     if (max > maxOccurNodeLimit) {
                         reportSchemaFatalError("maxOccurLimit", new Object[] {new Integer(maxOccurNodeLimit)}, element);
 
--- a/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/impl/xs/traversers/XSDHandler.java	Wed Jul 17 09:31:39 2013 -0700
@@ -70,7 +70,6 @@
 import com.sun.org.apache.xerces.internal.util.DefaultErrorHandler;
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXInputSource;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.StAXLocationWrapper;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
@@ -78,6 +77,7 @@
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.QName;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
@@ -257,7 +257,7 @@
      *
      * <p>Protected to allow access by any traverser.</p>
      */
-    protected SecurityManager fSecureProcessing = null;
+    protected XMLSecurityManager fSecureProcessing = null;
 
     private String fAccessExternalSchema;
 
@@ -3501,7 +3501,7 @@
 
         fSecureProcessing = null;
         if( componentManager!=null ) {
-            fSecureProcessing = (SecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
+            fSecureProcessing = (XMLSecurityManager) componentManager.getProperty(SECURE_PROCESSING, null);
         }
 
         //set entity resolver
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/DocumentBuilderImpl.java	Wed Jul 17 09:31:39 2013 -0700
@@ -36,7 +36,7 @@
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.parsers.DOMParser;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -162,7 +162,7 @@
 
         // If the secure processing feature is on set a security manager.
         if (secureProcessing) {
-            domParser.setProperty(SECURITY_MANAGER, new SecurityManager());
+            domParser.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
 
             /**
              * By default, secure processing is set, no external access is allowed.
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/SAXParserImpl.java	Wed Jul 17 09:31:39 2013 -0700
@@ -34,8 +34,8 @@
 import com.sun.org.apache.xerces.internal.impl.xs.XMLSchemaValidator;
 import com.sun.org.apache.xerces.internal.jaxp.validation.XSGrammarPoolContainer;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XMLDocumentHandler;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
@@ -151,7 +151,7 @@
 
         // If the secure processing feature is on set a security manager.
         if (secureProcessing) {
-            xmlReader.setProperty0(SECURITY_MANAGER, new SecurityManager());
+            xmlReader.setProperty0(SECURITY_MANAGER, new XMLSecurityManager());
             /**
              * By default, secure processing is set, no external access is allowed.
              * However, we need to check if it is actively set on the factory since we
@@ -413,7 +413,7 @@
             }
             if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
                 try {
-                    setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+                    setProperty(SECURITY_MANAGER, value ? new XMLSecurityManager() : null);
                 }
                 catch (SAXNotRecognizedException exc) {
                     // If the property is not supported
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/StreamValidatorHelper.java	Wed Jul 17 09:31:39 2013 -0700
@@ -24,7 +24,7 @@
 import com.sun.org.apache.xerces.internal.impl.XMLErrorReporter;
 import com.sun.org.apache.xerces.internal.impl.msg.XMLMessageFormatter;
 import com.sun.org.apache.xerces.internal.parsers.XML11Configuration;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLInputSource;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLParseException;
@@ -170,7 +170,7 @@
     private XMLParserConfiguration initialize() {
         XML11Configuration config = new XML11Configuration();
         if (fComponentManager.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)) {
-            config.setProperty(SECURITY_MANAGER, new SecurityManager());
+            config.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
         }
         config.setProperty(ENTITY_RESOLVER, fComponentManager.getProperty(ENTITY_RESOLVER));
         config.setProperty(ERROR_HANDLER, fComponentManager.getProperty(ERROR_HANDLER));
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/ValidatorHandlerImpl.java	Wed Jul 17 09:31:39 2013 -0700
@@ -49,10 +49,10 @@
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -679,7 +679,7 @@
                         reader = spf.newSAXParser().getXMLReader();
                         // If this is a Xerces SAX parser, set the security manager if there is one
                         if (reader instanceof com.sun.org.apache.xerces.internal.parsers.SAXParser) {
-                           SecurityManager securityManager = (SecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
+                           XMLSecurityManager securityManager = (XMLSecurityManager) fComponentManager.getProperty(SECURITY_MANAGER);
                            if (securityManager != null) {
                                try {
                                    reader.setProperty(SECURITY_MANAGER, securityManager);
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaFactory.java	Wed Jul 17 09:31:39 2013 -0700
@@ -41,11 +41,11 @@
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXInputSource;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.StAXInputSource;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.XMLGrammarPoolImpl;
 import com.sun.org.apache.xerces.internal.utils.SecuritySupport;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.grammars.Grammar;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarDescription;
@@ -79,7 +79,7 @@
     private static final String XMLGRAMMAR_POOL =
         Constants.XERCES_PROPERTY_PREFIX + Constants.XMLGRAMMAR_POOL_PROPERTY;
 
-    /** Property identifier: SecurityManager. */
+    /** Property identifier: XMLSecurityManager. */
     private static final String SECURITY_MANAGER =
         Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
 
@@ -108,8 +108,8 @@
     /** The ErrorHandlerWrapper */
     private ErrorHandlerWrapper fErrorHandlerWrapper;
 
-    /** The SecurityManager. */
-    private SecurityManager fSecurityManager;
+    /** The XMLSecurityManager. */
+    private XMLSecurityManager fSecurityManager;
 
     /** The container for the real grammar pool. */
     private XMLGrammarPoolWrapper fXMLGrammarPoolWrapper;
@@ -137,7 +137,7 @@
         fXMLSchemaLoader.setErrorHandler(fErrorHandlerWrapper);
 
         // Enable secure processing feature by default
-        fSecurityManager = new SecurityManager();
+        fSecurityManager = new XMLSecurityManager();
         fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
 
         //by default, the secure feature is set to true, otherwise the default would have been 'file'
@@ -365,7 +365,7 @@
                         "jaxp-secureprocessing-feature", null));
             }
             if (value) {
-                fSecurityManager = new SecurityManager();
+                fSecurityManager = new XMLSecurityManager();
                 fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_DTD, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
                 fXMLSchemaLoader.setProperty(ACCESS_EXTERNAL_SCHEMA, Constants.EXTERNAL_ACCESS_DEFAULT_FSP);
             } else {
@@ -404,7 +404,7 @@
                     "ProperyNameNull", null));
         }
         if (name.equals(SECURITY_MANAGER)) {
-            fSecurityManager = (SecurityManager) object;
+            fSecurityManager = (XMLSecurityManager) object;
             fXMLSchemaLoader.setProperty(SECURITY_MANAGER, fSecurityManager);
             return;
         }
--- a/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/jaxp/validation/XMLSchemaValidatorComponentManager.java	Wed Jul 17 09:31:39 2013 -0700
@@ -39,9 +39,9 @@
 import com.sun.org.apache.xerces.internal.util.NamespaceSupport;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
 import com.sun.org.apache.xerces.internal.util.PropertyState;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.XNIException;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponent;
@@ -182,7 +182,7 @@
     private final HashMap fInitProperties = new HashMap();
 
     /** Stores the initial security manager. */
-    private final SecurityManager fInitSecurityManager;
+    private final XMLSecurityManager fInitSecurityManager;
 
     //
     // User Objects
@@ -221,7 +221,7 @@
 
         if (System.getSecurityManager() != null) {
             _isSecureMode = true;
-            setProperty(SECURITY_MANAGER, new SecurityManager());
+            setProperty(SECURITY_MANAGER, new XMLSecurityManager());
         } else {
             fComponents.put(SECURITY_MANAGER, null);
         }
@@ -242,7 +242,7 @@
         // if the secure processing feature is set to true, add a security manager to the configuration
         Boolean secureProcessing = grammarContainer.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING);
         if (Boolean.TRUE.equals(secureProcessing)) {
-            fInitSecurityManager = new SecurityManager();
+            fInitSecurityManager = new XMLSecurityManager();
         }
         else {
             fInitSecurityManager = null;
@@ -308,7 +308,7 @@
             if (_isSecureMode && !value) {
                 throw new XMLConfigurationException(Status.NOT_ALLOWED, XMLConstants.FEATURE_SECURE_PROCESSING);
             }
-            setProperty(SECURITY_MANAGER, value ? new SecurityManager() : null);
+            setProperty(SECURITY_MANAGER, value ? new XMLSecurityManager() : null);
             return;
         }
         fConfigUpdated = true;
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/AbstractSAXParser.java	Wed Jul 17 09:31:39 2013 -0700
@@ -25,10 +25,10 @@
 import com.sun.org.apache.xerces.internal.util.EntityResolverWrapper;
 import com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper;
 import com.sun.org.apache.xerces.internal.util.SAXMessageFormatter;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.Status;
 import com.sun.org.apache.xerces.internal.util.SymbolHash;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -1651,7 +1651,7 @@
             else if (featureId.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
                 if (state) {
                     if (fConfiguration.getProperty(SECURITY_MANAGER )==null) {
-                        fConfiguration.setProperty(SECURITY_MANAGER, new SecurityManager());
+                        fConfiguration.setProperty(SECURITY_MANAGER, new XMLSecurityManager());
                     }
                 }
             }
--- a/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/parsers/SecurityConfiguration.java	Wed Jul 17 09:31:39 2013 -0700
@@ -23,8 +23,8 @@
 import com.sun.org.apache.xerces.internal.impl.Constants;
 import com.sun.org.apache.xerces.internal.xni.grammars.XMLGrammarPool;
 import com.sun.org.apache.xerces.internal.xni.parser.XMLComponentManager;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 
 /**
  * This configuration allows Xerces to behave in a security-conscious manner; that is,
@@ -106,8 +106,8 @@
                                          XMLComponentManager parentSettings) {
         super(symbolTable, grammarPool, parentSettings);
 
-        // create the SecurityManager property:
-        setProperty(SECURITY_MANAGER_PROPERTY, new SecurityManager());
+        // create the XMLSecurityManager property:
+        setProperty(SECURITY_MANAGER_PROPERTY, new XMLSecurityManager());
     } // <init>(SymbolTable,XMLGrammarPool)
 
 } // class SecurityConfiguration
--- a/jaxp/src/com/sun/org/apache/xerces/internal/util/SecurityManager.java	Tue Jul 16 14:06:04 2013 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,226 +0,0 @@
-/*
- * reserved comment block
- * DO NOT REMOVE OR ALTER!
- */
-/*
- * The Apache Software License, Version 1.1
- *
- *
- * Copyright (c) 2003 The Apache Software Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. The end-user documentation included with the redistribution,
- *    if any, must include the following acknowledgment:
- *       "This product includes software developed by the
- *        Apache Software Foundation (http://www.apache.org/)."
- *    Alternately, this acknowledgment may appear in the software itself,
- *    if and wherever such third-party acknowledgments normally appear.
- *
- * 4. The names "Xerces" and "Apache Software Foundation" must
- *    not be used to endorse or promote products derived from this
- *    software without prior written permission. For written
- *    permission, please contact apache@apache.org.
- *
- * 5. Products derived from this software may not be called "Apache",
- *    nor may "Apache" appear in their name, without prior written
- *    permission of the Apache Software Foundation.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * ====================================================================
- *
- * This software consists of voluntary contributions made by many
- * individuals on behalf of the Apache Software Foundation and was
- * originally based on software copyright (c) 1999, International
- * Business Machines, Inc., http://www.apache.org.  For more
- * information on the Apache Software Foundation, please see
- * <http://www.apache.org/>.
- */
-
-package com.sun.org.apache.xerces.internal.util;
-import com.sun.org.apache.xerces.internal.impl.Constants;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
-/**
- * This class is a container for parser settings that relate to
- * security, or more specifically, it is intended to be used to prevent denial-of-service
- * attacks from being launched against a system running Xerces.
- * Any component that is aware of a denial-of-service attack that can arise
- * from its processing of a certain kind of document may query its Component Manager
- * for the property (http://apache.org/xml/properties/security-manager)
- * whose value will be an instance of this class.
- * If no value has been set for the property, the component should proceed in the "usual" (spec-compliant)
- * manner.  If a value has been set, then it must be the case that the component in
- * question needs to know what method of this class to query.  This class
- * will provide defaults for all known security issues, but will also provide
- * setters so that those values can be tailored by applications that care.
- *
- * @author  Neil Graham, IBM
- *
- * @version $Id: SecurityManager.java,v 1.5 2010-11-01 04:40:14 joehw Exp $
- */
-public final class SecurityManager {
-
-    //
-    // Constants
-    //
-
-    // default value for entity expansion limit
-    private final static int DEFAULT_ENTITY_EXPANSION_LIMIT = 64000;
-
-    /** Default value of number of nodes created. **/
-    private final static int DEFAULT_MAX_OCCUR_NODE_LIMIT = 5000;
-
-    //
-    // Data
-    //
-
-        private final static int DEFAULT_ELEMENT_ATTRIBUTE_LIMIT = 10000;
-
-    /** Entity expansion limit. **/
-    private int entityExpansionLimit;
-
-    /** W3C XML Schema maxOccurs limit. **/
-    private int maxOccurLimit;
-
-        private int fElementAttributeLimit;
-    // default constructor.  Establishes default values for
-    // all known security holes.
-    /**
-     * Default constructor.  Establishes default values
-     * for known security vulnerabilities.
-     */
-    public SecurityManager() {
-        entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-        maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT ;
-                fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-                //We are reading system properties only once ,
-                //at the time of creation of this object ,
-                readSystemProperties();
-    }
-
-    /**
-     * <p>Sets the number of entity expansions that the
-     * parser should permit in a document.</p>
-     *
-     * @param limit the number of entity expansions
-     * permitted in a document
-     */
-    public void setEntityExpansionLimit(int limit) {
-        entityExpansionLimit = limit;
-    }
-
-    /**
-     * <p>Returns the number of entity expansions
-     * that the parser permits in a document.</p>
-     *
-     * @return the number of entity expansions
-     * permitted in a document
-     */
-    public int getEntityExpansionLimit() {
-        return entityExpansionLimit;
-    }
-
-    /**
-     * <p>Sets the limit of the number of content model nodes
-     * that may be created when building a grammar for a W3C
-     * XML Schema that contains maxOccurs attributes with values
-     * other than "unbounded".</p>
-     *
-     * @param limit the maximum value for maxOccurs other
-     * than "unbounded"
-     */
-    public void setMaxOccurNodeLimit(int limit){
-        maxOccurLimit = limit;
-    }
-
-    /**
-     * <p>Returns the limit of the number of content model nodes
-     * that may be created when building a grammar for a W3C
-     * XML Schema that contains maxOccurs attributes with values
-     * other than "unbounded".</p>
-     *
-     * @return the maximum value for maxOccurs other
-     * than "unbounded"
-     */
-    public int getMaxOccurNodeLimit(){
-        return maxOccurLimit;
-    }
-
-    public int getElementAttrLimit(){
-                return fElementAttributeLimit;
-        }
-
-        public void setElementAttrLimit(int limit){
-                fElementAttributeLimit = limit;
-        }
-
-        private void readSystemProperties(){
-
-            //TODO: also read SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT
-            try {
-                    String value = getSystemProperty(Constants.ENTITY_EXPANSION_LIMIT);
-                    if(value != null && !value.equals("")){
-                            entityExpansionLimit = Integer.parseInt(value);
-                            if (entityExpansionLimit < 0)
-                                    entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-                    }
-                    else
-                            entityExpansionLimit = DEFAULT_ENTITY_EXPANSION_LIMIT;
-            }catch(Exception ex){}
-
-            try {
-                    String value = getSystemProperty(Constants.MAX_OCCUR_LIMIT);
-                    if(value != null && !value.equals("")){
-                            maxOccurLimit = Integer.parseInt(value);
-                            if (maxOccurLimit < 0)
-                                    maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
-                    }
-                    else
-                            maxOccurLimit = DEFAULT_MAX_OCCUR_NODE_LIMIT;
-            }catch(Exception ex){}
-
-            try {
-                    String value = getSystemProperty(Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
-                    if(value != null && !value.equals("")){
-                            fElementAttributeLimit = Integer.parseInt(value);
-                            if ( fElementAttributeLimit < 0)
-                                    fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-                    }
-                    else
-                            fElementAttributeLimit = DEFAULT_ELEMENT_ATTRIBUTE_LIMIT;
-
-                }catch(Exception ex){}
-
-        }
-
-    private String getSystemProperty(final String propName) {
-        return AccessController.doPrivileged(new PrivilegedAction<String>() {
-            public String run() {
-                return System.getProperty(propName);
-            }
-        });
-    }
-} // class SecurityManager
--- a/jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/util/SymbolTable.java	Wed Jul 17 09:31:39 2013 -0700
@@ -173,7 +173,7 @@
         for (int i = 0; i < length; i++) {
             code = code * 37 + symbol.charAt(i);
         }
-        return code & 0x7FFFFFF;
+        return code & 0x7FFFFFFF;
 
     } // hash(String):int
 
@@ -194,7 +194,7 @@
         for (int i = 0; i < length; i++) {
             code = code * 37 + buffer[offset + i];
         }
-        return code & 0x7FFFFFF;
+        return code & 0x7FFFFFFF;
 
     } // hash(char[],int,int):int
 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/utils/XMLSecurityManager.java	Wed Jul 17 09:31:39 2013 -0700
@@ -0,0 +1,147 @@
+/*
+ * Copyright (c) 2013 Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.org.apache.xerces.internal.utils;
+
+import com.sun.org.apache.xerces.internal.impl.Constants;
+
+/**
+ * This class manages standard and implementation-specific limitations.
+ *
+ */
+public final class XMLSecurityManager {
+
+    /**
+     * States of the settings of a property, in the order: default value, value
+     * set by FEATURE_SECURE_PROCESSING, jaxp.properties file, jaxp system
+     * properties, and jaxp api properties
+     */
+    public static enum State {
+        //this order reflects the overriding order
+        DEFAULT, FSP, JAXPDOTPROPERTIES, SYSTEMPROPERTY, APIPROPERTY
+    }
+
+    /**
+     * Limits managed by the security manager
+     */
+    public static enum Limit {
+        ENTITY_EXPANSION_LIMIT(64000),
+        MAX_OCCUR_NODE_LIMIT(5000),
+        ELEMENT_ATTRIBUTE_LIMIT(10000);
+
+        final int defaultValue;
+
+        Limit(int value) {
+            this.defaultValue = value;
+        }
+
+        int defaultValue() {
+            return defaultValue;
+        }
+    }
+
+    /**
+     * Values of the limits as defined in enum Limit
+     */
+    private final int[] limits;
+    /**
+     * States of the settings for each limit in limits above
+     */
+    private State[] states = {State.DEFAULT, State.DEFAULT, State.DEFAULT, State.DEFAULT};
+
+    /**
+     * Default constructor. Establishes default values for known security
+     * vulnerabilities.
+     */
+    public XMLSecurityManager() {
+        limits = new int[Limit.values().length];
+        for (Limit limit : Limit.values()) {
+            limits[limit.ordinal()] = limit.defaultValue();
+        }
+        //read system properties or jaxp.properties
+        readSystemProperties();
+    }
+
+    /**
+     * Sets the limit for a specific type of XML constructs. This can be either
+     * the size or the number of the constructs.
+     *
+     * @param type the type of limitation
+     * @param state the state of limitation
+     * @param limit the limit to the type
+     */
+    public void setLimit(Limit limit, State state, int value) {
+        //only update if it shall override
+        if (state.compareTo(states[limit.ordinal()]) >= 0) {
+            limits[limit.ordinal()] = value;
+            states[limit.ordinal()] = state;
+        }
+    }
+
+    /**
+     * Returns the limit set for the type specified
+     *
+     * @param limit the type of limitation
+     * @return the limit to the type
+     */
+    public int getLimit(Limit limit) {
+        return limits[limit.ordinal()];
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     */
+    private void readSystemProperties() {
+        getSystemProperty(Limit.ENTITY_EXPANSION_LIMIT, Constants.ENTITY_EXPANSION_LIMIT);
+        getSystemProperty(Limit.MAX_OCCUR_NODE_LIMIT, Constants.MAX_OCCUR_LIMIT);
+        getSystemProperty(Limit.ELEMENT_ATTRIBUTE_LIMIT,
+                Constants.SYSTEM_PROPERTY_ELEMENT_ATTRIBUTE_LIMIT);
+    }
+
+    /**
+     * Read from system properties, or those in jaxp.properties
+     *
+     * @param limit the type of the property
+     * @param property the property name
+     */
+    private void getSystemProperty(Limit limit, String property) {
+        try {
+            String value = SecuritySupport.getSystemProperty(property);
+            if (value != null && !value.equals("")) {
+                limits[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.SYSTEMPROPERTY;
+                return;
+            }
+
+            value = SecuritySupport.readJAXPProperty(property);
+            if (value != null && !value.equals("")) {
+                limits[limit.ordinal()] = Integer.parseInt(value);
+                states[limit.ordinal()] = State.JAXPDOTPROPERTIES;
+            }
+        } catch (NumberFormatException e) {
+            //invalid setting ignored
+        }
+    }
+}
--- a/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/org/apache/xerces/internal/xinclude/XIncludeHandler.java	Wed Jul 17 09:31:39 2013 -0700
@@ -37,7 +37,6 @@
 import com.sun.org.apache.xerces.internal.util.HTTPInputSource;
 import com.sun.org.apache.xerces.internal.util.IntStack;
 import com.sun.org.apache.xerces.internal.util.ParserConfigurationSettings;
-import com.sun.org.apache.xerces.internal.util.SecurityManager;
 import com.sun.org.apache.xerces.internal.util.SymbolTable;
 import com.sun.org.apache.xerces.internal.util.URI;
 import com.sun.org.apache.xerces.internal.util.XMLAttributesImpl;
@@ -45,6 +44,7 @@
 import com.sun.org.apache.xerces.internal.util.XMLChar;
 import com.sun.org.apache.xerces.internal.util.XMLSymbols;
 import com.sun.org.apache.xerces.internal.util.URI.MalformedURIException;
+import com.sun.org.apache.xerces.internal.utils.XMLSecurityManager;
 import com.sun.org.apache.xerces.internal.xni.Augmentations;
 import com.sun.org.apache.xerces.internal.xni.NamespaceContext;
 import com.sun.org.apache.xerces.internal.xni.QName;
@@ -292,7 +292,7 @@
     protected SymbolTable fSymbolTable;
     protected XMLErrorReporter fErrorReporter;
     protected XMLEntityResolver fEntityResolver;
-    protected SecurityManager fSecurityManager;
+    protected XMLSecurityManager fSecurityManager;
     /**
      * comma-delimited list of protocols that are allowed for the purpose
      * of accessing external dtd or entity references
@@ -525,8 +525,8 @@
 
         // Get security manager.
         try {
-            SecurityManager value =
-                (SecurityManager)componentManager.getProperty(
+            XMLSecurityManager value =
+                (XMLSecurityManager)componentManager.getProperty(
                     SECURITY_MANAGER);
 
             if (value != null) {
@@ -681,7 +681,7 @@
             return;
         }
         if (propertyId.equals(SECURITY_MANAGER)) {
-            fSecurityManager = (SecurityManager)value;
+            fSecurityManager = (XMLSecurityManager)value;
             if (fChildConfig != null) {
                 fChildConfig.setProperty(propertyId, value);
             }
--- a/jaxp/src/com/sun/xml/internal/stream/Entity.java	Tue Jul 16 14:06:04 2013 -0700
+++ b/jaxp/src/com/sun/xml/internal/stream/Entity.java	Wed Jul 17 09:31:39 2013 -0700
@@ -248,7 +248,7 @@
         public int fBufferSize = DEFAULT_BUFFER_SIZE;
 
         /** Default buffer size before we've finished with the XMLDecl:  */
-        public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 28;
+        public static final int DEFAULT_XMLDECL_BUFFER_SIZE = 64;
 
         /** Default internal entity buffer size (1024). */
         public static final int DEFAULT_INTERNAL_BUFFER_SIZE = 1024;