Issue Details (XML | Word | Printable)

Key: JAXP-70
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Joe Wang
Reporter: cmathieu
Votes: 0
Watchers: 0

If you were logged in you would be able to see more operations.

JAXP 1.4 (commit #2679) breaks backward compatility

Created: 10/Jun/11 02:49 AM   Updated: Yesterday 09:55 PM   Resolved: Yesterday 09:55 PM
Component/s: None
Affects Version/s: current
Fix Version/s: None

Time Tracking:
Not Specified


OpenJDK or Java 7

Participants: cmathieu, Joe Wang and sven

 Description  « Hide

According to the JAXP documentation,, is it no longer possible to use XSLT extension functions when a security manager is set. This is a major regression added by JAXP in commit #2679. This limitation does not come from Xerces and the Xerces team seems to agree that it is not a good idea.

This new and unavoidable behaviour breaks all the applications using a security manager (hello RMI) with no possible workaround. Setting a security manager does not means that the application will parse user provided XML/XSLT files. It should be up to the application to (un)set the secure mode. A method to disable the secure mode even when a security manager is set should be provided.

Joe Wang added a comment - 11/Jul/11 11:48 PM

Thanks for reporting the issue.

The enforcing of JAXP security is necessary in the JDK. But we will add a way for trusted code to disable the secure mode. This will take a while to happen since it would involve API documents.

sven added a comment - 18/Jan/12 04:51 PM

Any update on the time frame for getting this fixed? Thanks.

Joe Wang added a comment - 18/Oct/13 04:51 AM

Joe Wang added a comment - 17/Apr/14 09:55 PM

Refer to, fixed in 7u60, JDK8.