Issue Details (XML | Word | Printable)

Key: JAXP-70
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Joe Wang
Reporter: cmathieu
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
jaxp

JAXP 1.4 (commit #2679) breaks backward compatility

Created: 10/Jun/11 02:49 AM   Updated: Yesterday 09:55 PM   Resolved: Yesterday 09:55 PM
Component/s: None
Affects Version/s: current
Fix Version/s: None

Time Tracking:
Not Specified

Environment:

OpenJDK or Java 7


Tags:
Participants: cmathieu, Joe Wang and sven


 Description  « Hide

According to the JAXP documentation, http://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security, is it no longer possible to use XSLT extension functions when a security manager is set. This is a major regression added by JAXP in commit #2679. This limitation does not come from Xerces and the Xerces team seems to agree that it is not a good idea.

This new and unavoidable behaviour breaks all the applications using a security manager (hello RMI) with no possible workaround. Setting a security manager does not means that the application will parse user provided XML/XSLT files. It should be up to the application to (un)set the secure mode. A method to disable the secure mode even when a security manager is set should be provided.



Joe Wang added a comment - 11/Jul/11 11:48 PM

Thanks for reporting the issue.

The enforcing of JAXP security is necessary in the JDK. But we will add a way for trusted code to disable the secure mode. This will take a while to happen since it would involve API documents.


sven added a comment - 18/Jan/12 04:51 PM

Any update on the time frame for getting this fixed? Thanks.


Joe Wang added a comment - 18/Oct/13 04:51 AM

Joe Wang added a comment - 17/Apr/14 09:55 PM

Refer to https://bugs.openjdk.java.net/browse/JDK-8004476, fixed in 7u60, JDK8.