Consistent local vs external resolution of https schema references

Closes gh-22504

Author: jhoeller

spring-beans/src/main/java/org/springframework/beans/factory/xml/BeansDtdResolver.java

@@ -16,6 +16,7 @@
 
 package org.springframework.beans.factory.xml;
 
+import java.io.FileNotFoundException;
 import java.io.IOException;
 
 import org.apache.commons.logging.Log;
@@ -76,7 +77,7 @@ public InputSource resolveEntity(String publicId, String systemId) throws IOExce
 					}
 					return source;
 				}
-				catch (IOException ex) {
+				catch (FileNotFoundException ex) {
 					if (logger.isDebugEnabled()) {
 						logger.debug("Could not resolve beans DTD [" + systemId + "]: not found in classpath", ex);
 					}

spring-beans/src/main/java/org/springframework/beans/factory/xml/DelegatingEntityResolver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -86,6 +86,8 @@ else if (systemId.endsWith(XSD_SUFFIX)) {
 				return this.schemaResolver.resolveEntity(publicId, systemId);
 			}
 		}
+
+		// Fall back to the parser's default behavior.
 		return null;
 	}
 

spring-beans/src/main/java/org/springframework/beans/factory/xml/PluggableSchemaResolver.java

@@ -110,6 +110,10 @@ public InputSource resolveEntity(String publicId, String systemId) throws IOExce
 
 		if (systemId != null) {
 			String resourceLocation = getSchemaMappings().get(systemId);
+			if (resourceLocation == null && systemId.startsWith("https:")) {
+				// Retrieve canonical http schema mapping even for https declaration
+				resourceLocation = getSchemaMappings().get("http:" + systemId.substring(6));
+			}
 			if (resourceLocation != null) {
 				Resource resource = new ClassPathResource(resourceLocation, this.classLoader);
 				try {

spring-beans/src/main/java/org/springframework/beans/factory/xml/ResourceEntityResolver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2012 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,9 +30,9 @@
 import org.springframework.core.io.ResourceLoader;
 
 /**
- * EntityResolver implementation that tries to resolve entity references
+ * {@code EntityResolver} implementation that tries to resolve entity references
  * through a {@link org.springframework.core.io.ResourceLoader} (usually,
- * relative to the resource base of an ApplicationContext), if applicable.
+ * relative to the resource base of an {@code ApplicationContext}), if applicable.
  * Extends {@link DelegatingEntityResolver} to also provide DTD and XSD lookup.
  *
  * <p>Allows to use standard XML entities to include XML snippets into an
@@ -72,6 +72,7 @@ public ResourceEntityResolver(ResourceLoader resourceLoader) {
 	@Override
 	public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
 		InputSource source = super.resolveEntity(publicId, systemId);
+
 		if (source == null && systemId != null) {
 			String resourcePath = null;
 			try {
@@ -103,7 +104,27 @@ public InputSource resolveEntity(String publicId, String systemId) throws SAXExc
 					logger.debug("Found XML entity [" + systemId + "]: " + resource);
 				}
 			}
+			else if (systemId.endsWith(DTD_SUFFIX) || systemId.endsWith(XSD_SUFFIX)) {
+				// External dtd/xsd lookup via https even for canonical http declaration
+				String url = systemId;
+				if (url.startsWith("http:")) {
+					url = "https:" + url.substring(5);
+				}
+				try {
+					source = new InputSource(new URL(url).openStream());
+					source.setPublicId(publicId);
+					source.setSystemId(systemId);
+				}
+				catch (IOException ex) {
+					if (logger.isDebugEnabled()) {
+						logger.debug("Could not resolve XML entity [" + systemId + "] through URL [" + url + "]", ex);
+					}
+					// Fall back to the parser's default behavior.
+					source = null;
+				}
+			}
 		}
+
 		return source;
 	}