[JAXP-70] JAXP 1.4 (commit #2679) breaks backward compatility Created: 10/Jun/11  Updated: 17/Apr/14  Resolved: 17/Apr/14

Status: Resolved
Project: jaxp
Component/s: None
Affects Version/s: current
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: cmathieu Assignee: Joe Wang
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

OpenJDK or Java 7


According to the JAXP documentation, http://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security, is it no longer possible to use XSLT extension functions when a security manager is set. This is a major regression added by JAXP in commit #2679. This limitation does not come from Xerces and the Xerces team seems to agree that it is not a good idea.

This new and unavoidable behaviour breaks all the applications using a security manager (hello RMI) with no possible workaround. Setting a security manager does not means that the application will parse user provided XML/XSLT files. It should be up to the application to (un)set the secure mode. A method to disable the secure mode even when a security manager is set should be provided.

Comment by Joe Wang [ 11/Jul/11 ]

Thanks for reporting the issue.

The enforcing of JAXP security is necessary in the JDK. But we will add a way for trusted code to disable the secure mode. This will take a while to happen since it would involve API documents.

Comment by sven [ 18/Jan/12 ]

Any update on the time frame for getting this fixed? Thanks.

Comment by Joe Wang [ 18/Oct/13 ]

See https://bugs.openjdk.java.net/browse/JDK-8004476.

Comment by Joe Wang [ 17/Apr/14 ]

Refer to https://bugs.openjdk.java.net/browse/JDK-8004476, fixed in 7u60, JDK8.

Generated at Wed Sep 28 23:46:07 UTC 2016 using JIRA 6.2.3#6260-sha1:63ef1d6dac3f4f4d7db4c1effd405ba38ccdc558.