Background

As per the following recommendation, we had updated all our hibernate mapping files to refer dtd files using https scheme

The markup declarations contained or pointed to by the document type declaration must be well-formed - Hibernate ORM - Hibernate

i,e we had updated existing dtd urls from

http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd

to

https://hibernate.org/dtd/hibernate-mapping-3.0.dtd

Also, we had upgraded hibernate version to version 5.6.6 (which has a fix for HHH-15094)

Problem

Hibernate does not resolve dtd files locally when using https scheme,

But, it resolves the dtd files locally when using http scheme

Analysis

Following is a snippet of code from LocalXmlResourceResolver,

When HTTP scheme is used, Hibernate uses startsWith to compare with the identifierBase,

But, when HTTPS scheme is used, Hibernate uses matches to compare with the identiferBase (which fails due to the presence of version at the end of systemId)

For example,

Consider a hibernate mapping file with the following DOCTYPE (changed as per above recommendation)

<!DOCTYPE hibernate-mapping PUBLIC
"-//Hibernate/Hibernate Mapping DTD//EN"
"https://hibernate.org/dtd/hibernate-mapping-3.0.dtd">

In the LocalXmlResourceResolver, The condition which checks whether to return local resource, fails and returns false when https scheme is used

i,e

if ( systemId.startsWith( httpBase )
|| systemId.matches( httpsBase ) ) {
return true;

}

checks as follows

"https://hibernate.org/dtd/hibernate-mapping-3.0.dtd".matches("hibernate.org/dtd/hibernate-mapping")

which returns false

Proposed solution

• Change systemId.matches() to either systemId.startsWith() or systemId.contains()

Test

In the attached unit test, we can find that the test case that tries to resolve dtd file using HTTPS scheme fails, whereas the the test case that tries to resolve dtd file using HTTP scheme succeeds