Is it safe to point to Internet for locating struts DTD files in struts TLDs and XML files?

[Katie Wright]

Hello,

I hope that this will be an easy question. I apologize if this is not
the right forum for this question. I could not find a more
appropriate newsgroup. Maybe someone can direct me to one?

In the TLD and XML files used to configure and setup the struts
framework, at the header is this:

<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd" [

Which essentially means for this file to go out into the Internet,
locate and use the DTD file. Most people have this reference and do
this. Is this safe?
Will Jakarta ever remove or move this file?

I realize that you could copy the file locally on your system and then
change your references to point to this file but I don't want to do
this because then my understanding is that I would have to put
absolute file pathing information to locate the file and this is
undesired for my application.

Is there a way in which struts XML and TLD files can see DTD files
that exist in a WAR?

Thanks for reading,

Katie Wright
(e-mail address removed)

 

[Mike Schilling]

Hello,

I hope that this will be an easy question. I apologize if this is not
the right forum for this question. I could not find a more
appropriate newsgroup. Maybe someone can direct me to one?

In the TLD and XML files used to configure and setup the struts
framework, at the header is this:

<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd" [

Which essentially means for this file to go out into the Internet,
locate and use the DTD file. Most people have this reference and do
this. Is this safe?
Will Jakarta ever remove or move this file?

That's unlikely; too many people depend upon it. Of course there's no
guarantee that their web site will be up 24/7.

On the other hand, validation is expensive. I would guess that at run-time
a non-validating parser is used to parse these files. If so, the DOCTYPE
declaration is ignored.

 

[Adam Maass]

Hello,

I hope that this will be an easy question. I apologize if this is not
the right forum for this question. I could not find a more
appropriate newsgroup. Maybe someone can direct me to one?

In the TLD and XML files used to configure and setup the struts
framework, at the header is this:

<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd" [

Which essentially means for this file to go out into the Internet,
locate and use the DTD file. Most people have this reference and do
this. Is this safe?
Will Jakarta ever remove or move this file?

I realize that you could copy the file locally on your system and then
change your references to point to this file but I don't want to do
this because then my understanding is that I would have to put
absolute file pathing information to locate the file and this is
undesired for my application.

Is there a way in which struts XML and TLD files can see DTD files
that exist in a WAR?

Thanks for reading,

My solution has been to grab the DTD and then set an EntityResolver on the
parser to give the local copy when this request is encountered. That way,
you don't have to modify your XML files, but you remove the uncertainty
involved in retrieving a DTD from over the Internet. It's relatively
straightforward to do once you figure out that that's what needs to be done.

It is unlikely that Apache will move the DTD, but the site may not be up (or
accessible) at all times when you need it. Additionally, there is no
guarantee that Apache won't change the DTD on you. Better to have something
under configuration control so you know exactly what's going on.

My 2 cents. YMMV.

-- Adam Maass

 

[Wendy S]

In the TLD and XML files used to configure and setup the struts
framework, at the header is this:
<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd" [
Which essentially means for this file to go out into the Internet,
locate and use the DTD file.
Is there a way in which struts XML and TLD files can see DTD files
that exist in a WAR?

Craig McClanahan has posted on this topic, it's a common misconception that
the public identifier is really a URL.
The DTD's are included in struts.jar and will be found there.

http://www.mail-archive.com/[email protected]/msg65929.html

 

[Katie Wright]

Interesting ...

I do agree that it is better to have something under my control. I
did make copies of the DLD file but hesistate to make my application
read my copies if I have to put absolute pathing (choosing the lesser
of two evils) and cannot read the dld from either a jar or war.

I visited the website referenced here and it said this "(Struts uses
these internal copies when parsing, so that it works when you're
disconnected from the Internet)."

Do I have to do something in order to make it see the internal copy if
disconnected from the Internet? This is similar to what I would like
to do.

I do think that the URL is an external URL and know for a fact that it
will not work on my application when disconnected from the Internet
because our network router went down one day and this the application
would not deploy the ear which is what brought about me investigating
this problem in the first place.

Thank you for all your help,

Katie Wright

In the TLD and XML files used to configure and setup the struts
framework, at the header is this:
<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd" [
Which essentially means for this file to go out into the Internet,
locate and use the DTD file.
Is there a way in which struts XML and TLD files can see DTD files
that exist in a WAR?

Craig McClanahan has posted on this topic, it's a common misconception that
the public identifier is really a URL.
The DTD's are included in struts.jar and will be found there.

http://www.mail-archive.com/[email protected]/msg65929.html

 

[derrick]

Wendy and/or Craig, if the public identifier is not a url and the dtd's
in struts.jar are used then how come if one changes the http url to
something that does not exist (to simulate no connection) then the
struts-config.xml file can not be found and the app fails? Thank you in
advance!

In the TLD and XML files used to configure and setup the struts
framework, at the header is this:
<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd" [
Which essentially means for this file to go out into the Internet,
locate and use the DTD file.
Is there a way in which struts XML and TLD files can see DTD files
that exist in a WAR?

Craig McClanahan has posted on this topic, it's a common misconception that
the public identifier is really a URL.
The DTD's are included in struts.jar and will be found there.

http://www.mail-archive.com/[email protected]/msg65929.html

 

[Wendy S]

if the public identifier is not a url and the dtd's
in struts.jar are used then how come if one changes the http url to
something that does not exist (to simulate no connection) then the
struts-config.xml file can not be found and the app fails?

First, I don't believe that changing the text is a correct way to simulate
working offline.

What is the exact error message you're getting?

I think that url you changed is part of what the system uses to locate the
dtd (which exists inside struts.jar). You told it to validate
struts-config.xml, it can't find the dtd (because you messed up the
identifier) and so it fails.

The struts-config dtd buried inside struts.jar says this:

<!--
DTD for the Struts Application Configuration File, Version 1.1

To support validation of your configuration file, include the following
DOCTYPE element at the beginning (after the "xml" declaration):

<!DOCTYPE struts-config PUBLIC
"-//Apache Software Foundation//DTD Struts Configuration 1.1//EN"
"http://jakarta.apache.org/struts/dtds/struts-config_1_1.dtd">

$Id: struts-config_1_1.dtd 51429 2004-02-17 05:51:48Z martinc $
-->

So, unless you put *exactly* that <!DOCTYPE...> block in your
struts-config.xml file, I'd expect exactly the result you got.

 

[derrick]

Thanks for you time Wendy for making this so clear to me. You make
perfect sense. I agree my test was flimsy, but I couldn't easily
reproduce the connection/site/page being unvailable.

 

[Andrea Desole]

This is interesting. Is there a standard way to look for a DTD in a jar
file, or is it just struts?
Most of the times using a regular URL works, but the best solution for
me is to copy the DTDs locally.