[JAXP-70] JAXP 1.4 (commit #2679) breaks backward compatility Created: 10/Jun/11 Updated: 17/Apr/14 Resolved: 17/Apr/14
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
OpenJDK or Java 7
According to the JAXP documentation, http://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security, is it no longer possible to use XSLT extension functions when a security manager is set. This is a major regression added by JAXP in commit #2679. This limitation does not come from Xerces and the Xerces team seems to agree that it is not a good idea.
This new and unavoidable behaviour breaks all the applications using a security manager (hello RMI) with no possible workaround. Setting a security manager does not means that the application will parse user provided XML/XSLT files. It should be up to the application to (un)set the secure mode. A method to disable the secure mode even when a security manager is set should be provided.
|Comment by Joe Wang [ 11/Jul/11 ]|
Thanks for reporting the issue.
The enforcing of JAXP security is necessary in the JDK. But we will add a way for trusted code to disable the secure mode. This will take a while to happen since it would involve API documents.
|Comment by sven [ 18/Jan/12 ]|
Any update on the time frame for getting this fixed? Thanks.
|Comment by Joe Wang [ 18/Oct/13 ]|
|Comment by Joe Wang [ 17/Apr/14 ]|
Refer to https://bugs.openjdk.java.net/browse/JDK-8004476, fixed in 7u60, JDK8.