jaxp
  1. jaxp
  2. JAXP-70

JAXP 1.4 (commit #2679) breaks backward compatility

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: current
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:

      OpenJDK or Java 7

      Description

      According to the JAXP documentation, http://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security, is it no longer possible to use XSLT extension functions when a security manager is set. This is a major regression added by JAXP in commit #2679. This limitation does not come from Xerces and the Xerces team seems to agree that it is not a good idea.

      This new and unavoidable behaviour breaks all the applications using a security manager (hello RMI) with no possible workaround. Setting a security manager does not means that the application will parse user provided XML/XSLT files. It should be up to the application to (un)set the secure mode. A method to disable the secure mode even when a security manager is set should be provided.

        Activity

        cmathieu created issue -
        Joe Wang made changes -
        Field Original Value New Value
        Assignee Joe Wang [ joehw ]
        Hide
        Joe Wang added a comment -

        Thanks for reporting the issue.

        The enforcing of JAXP security is necessary in the JDK. But we will add a way for trusted code to disable the secure mode. This will take a while to happen since it would involve API documents.

        Show
        Joe Wang added a comment - Thanks for reporting the issue. The enforcing of JAXP security is necessary in the JDK. But we will add a way for trusted code to disable the secure mode. This will take a while to happen since it would involve API documents.
        Hide
        sven added a comment -

        Any update on the time frame for getting this fixed? Thanks.

        Show
        sven added a comment - Any update on the time frame for getting this fixed? Thanks.
        Joe Wang made changes -
        Status Open [ 1 ] In Progress [ 3 ]
        Show
        Joe Wang added a comment - See https://bugs.openjdk.java.net/browse/JDK-8004476 .
        Hide
        Joe Wang added a comment -

        Refer to https://bugs.openjdk.java.net/browse/JDK-8004476, fixed in 7u60, JDK8.

        Show
        Joe Wang added a comment - Refer to https://bugs.openjdk.java.net/browse/JDK-8004476 , fixed in 7u60, JDK8.
        Joe Wang made changes -
        Status In Progress [ 3 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Joe Wang
            Reporter:
            cmathieu
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: