Thirunavukarasu Thulasi ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=712020%... ) *created* an issue Hibernate ORM ( https://hibernate.atlassian.net/browse/HHH?atlOrigin=eyJpIjoiMzNlMjA5ZWRi... ) / Bug ( https://hibernate.atlassian.net/browse/HHH-16892?atlOrigin=eyJpIjoiMzNlMj... ) HHH-16892 ( https://hibernate.atlassian.net/browse/HHH-16892?atlOrigin=eyJpIjoiMzNlMj... ) LocalXmlResourceResolver does not resolve dtd URLs that use https scheme ( https://hibernate.atlassian.net/browse/HHH-16892?atlOrigin=eyJpIjoiMzNlMj... ) Issue Type: Bug Affects Versions: 5.6.6 Assignee: Yoann Rodière ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=557058%... ) Attachments: image-20230705-030300.png Components: hibernate-core Created: 04/Jul/2023 20:24 PM Priority: Major Reporter: Thirunavukarasu Thulasi ( https://hibernate.atlassian.net/secure/ViewProfile.jspa?accountId=712020%... ) *Background* As per the following recommendation, we had updated all our hibernate mapping files to refer dtd files with https scheme The markup declarations contained or pointed to by the document type declaration must be well-formed - Hibernate ORM - Hibernate ( https://discourse.hibernate.org/t/the-markup-declarations-contained-or-po... ) i,e we had updated our hibernate mapping files to use the recommended dtd urls updated existing urls from http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd ( http://www.hibernate.org/dtd/hibernate-mapping-3.0.dtd%22 ) to *https* ( https://hibernate.org/dtd/hibernate-mapping-3.0.dtd%22 ) [://hibernate.org/dtd/hibernate-mapping-3.0.dtd|https://hibernate.org/dtd/hibernate-mapping-3.0.dtd%22] Also, we had upgraded hibernate version to version 5.6.6 (which has a fix HHH-15094 ( https://hibernate.atlassian.net/browse/HHH-15094 ) Closed ) *Problem* Hibernate does not resolve dtd files locally when using *https* scheme, But, it resolves the dtd files locally when using *http* scheme *Analysis* Following is a snippet of code from LocalXmlResourceResolver, When *HTTP* scheme is used, Hibernate uses *startsWith* to compare with the identifierBase, But, when *HTTPS* scheme is used, Hibernate uses *matches* to compare with the identiferBase For example, Consider a hibernate mapping file with the following DOCTYPE (changed as per above recommendation) <!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD//EN" " https://hibernate.org/dtd/hibernate-mapping-3.0.dtd" ( https://hibernate.org/dtd/hibernate-mapping-3.0.dtd%22 ) > In the LocalXmlResourceResolver, The condition which checks whether to return local resource, fails and returns false when https scheme is used i,e if ( systemId.startsWith( httpBase ) systemId.matches( httpsBase ) ) { return true; } checks as follows " https://hibernate.org/dtd/hibernate-mapping-3.0.dtd" ( https://hibernate.org/dtd/hibernate-mapping-3.0.dtd%22 ).matches( "hibernate.org/dtd/hibernate-mapping" ) which returns *false* *Proposed solution* * Change systemId. *matches* () to either systemId. *startsWith()* or systemId. *contains()* ( https://hibernate.atlassian.net/browse/HHH-16892#add-comment?atlOrigin=ey... ) Add Comment ( https://hibernate.atlassian.net/browse/HHH-16892#add-comment?atlOrigin=ey... ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.... ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=Em... ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100229- sha1:634ba05 )