You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by "Johan Zxcer (JIRA)" <xa...@xml.apache.org> on 2009/03/03 21:12:56 UTC
[jira] Created: (XALANJ-2489) Limit the classes available as
extensions
Limit the classes available as extensions
-----------------------------------------
Key: XALANJ-2489
URL: https://issues.apache.org/jira/browse/XALANJ-2489
Project: XalanJ2
Issue Type: Improvement
Security Level: No security risk; visible to anyone (Ordinary problems in Xalan projects. Anybody can view the issue.)
Components: Xalan-extensions
Environment: xalan-java
Reporter: Johan Zxcer
Priority: Minor
It would be very useful to be able to limit the set of java classes that are available to Xalan for extension functions. This is important when using Xalan within a larger application with non-secure style-sheet definitions, as a malevolent user could create a style-sheet to access any class within the larger application. Currently the only ways to use Xalan securely within a larger application is to entirely turn extension functions off, or to sequester Xalan to a separate process/thread with a tightened security policy.
It appears the best way to do this would be to use the Java Security Framework, as it is already used to determine what classes can be accessed; it is simply not exposed in the API. Allowing either the SecurityManager or ClassLoader to be specified for a Transformer (or factory), to be used to in place of the global ones, would probably be the best solution.
Mailing-list thread:
http://marc.info/?l=xalan-j-users&m=123595553514572&w=2
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org
[jira] Commented: (XALANJ-2489) Limit the classes available as
extensions
Posted by "Bradley Wagner (JIRA)" <xa...@xml.apache.org>.
[ https://issues.apache.org/jira/browse/XALANJ-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689503#action_12689503 ]
Bradley Wagner commented on XALANJ-2489:
----------------------------------------
I'm wondering if it's possible to simply turn off specific extension types such as Java Extensions. I would, for example, like to keep JavaScript Extensions but totally turn off Java extensions.
Also, would love to see how you patched Xalan to use a custom SecurityManager if this is something you got working.
> Limit the classes available as extensions
> -----------------------------------------
>
> Key: XALANJ-2489
> URL: https://issues.apache.org/jira/browse/XALANJ-2489
> Project: XalanJ2
> Issue Type: Improvement
> Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects. Anybody can view the issue.)
> Components: Xalan-extensions
> Environment: xalan-java
> Reporter: Johan Zxcer
> Priority: Minor
>
> It would be very useful to be able to limit the set of java classes that are available to Xalan for extension functions. This is important when using Xalan within a larger application with non-secure style-sheet definitions, as a malevolent user could create a style-sheet to access any class within the larger application. Currently the only ways to use Xalan securely within a larger application is to entirely turn extension functions off, or to sequester Xalan to a separate process/thread with a tightened security policy.
> It appears the best way to do this would be to use the Java Security Framework, as it is already used to determine what classes can be accessed; it is simply not exposed in the API. Allowing either the SecurityManager or ClassLoader to be specified for a Transformer (or factory), to be used to in place of the global ones, would probably be the best solution.
> Mailing-list thread:
> http://marc.info/?l=xalan-j-users&m=123595553514572&w=2
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org