Switch getXMLSchema() resolver from blocklist to allowlist

Gemini review identified that blocking specific schemes (http, https,
ftp, jar) while allowing file:// leaves a Local File Inclusion (LFI)
vector. Switch to allowlist approach: block ALL absolute URIs in the
default restrictive resolver. Only relative paths (resolved against
the document base URI) are permitted. This prevents SSRF, LFI, and
any future bypass via exotic URI schemes.

Co-packaged schemas in .aar/.war deployments use relative paths and
are unaffected. Applications needing absolute URI resolution can
supply their own resolver via setCustomResolver().

404 kernel tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: robertlazarski

modules/kernel/src/org/apache/axis2/description/WSDLToAxisServiceBuilder.java

@@ -154,24 +154,31 @@ protected XmlSchema getXMLSchema(Element element, String baseUri) {
                             delegate = new org.apache.ws.commons.schema.resolver.DefaultURIResolver();
                     public org.xml.sax.InputSource resolveEntity(
                             String ns, String loc, String base) {
-                        // Resolve against base URI before checking —
-                        // a relative loc with a remote base must be caught
-                        String resolved = loc;
-                        if (base != null && loc != null) {
+                        // Allowlist: only permit relative paths resolved
+                        // against the base URI. Block all absolute URIs
+                        // (http, https, ftp, file, jar, etc.) to prevent
+                        // both SSRF and LFI. Co-packaged schemas in .aar
+                        // deployments use relative paths and are safe.
+                        if (loc != null) {
+                            String resolved = loc;
+                            if (base != null) {
+                                try {
+                                    resolved = java.net.URI.create(base)
+                                            .resolve(loc).toString();
+                                } catch (IllegalArgumentException ignored) {
+                                }
+                            }
                             try {
-                                resolved = java.net.URI.create(base).resolve(loc).toString();
-                            } catch (IllegalArgumentException ignored) {
+                                java.net.URI uri = new java.net.URI(resolved);
+                                if (uri.isAbsolute()) {
+                                    throw new RuntimeException(
+                                        "Absolute schemaLocation blocked: "
+                                        + resolved + " (use setCustomResolver"
+                                        + " to opt in)");
+                                }
+                            } catch (java.net.URISyntaxException ignored) {
                             }
                         }
-                        if (resolved != null
-                                && (resolved.regionMatches(true, 0, "http:", 0, 5)
-                                 || resolved.regionMatches(true, 0, "https:", 0, 6)
-                                 || resolved.regionMatches(true, 0, "ftp:", 0, 4)
-                                 || resolved.regionMatches(true, 0, "jar:", 0, 4))) {
-                            throw new RuntimeException(
-                                    "Remote schemaLocation blocked: " + resolved
-                                    + " (use setCustomResolver to opt in)");
-                        }
                         return delegate.resolveEntity(ns, loc, base);
                     }
                 });