You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@xalan.apache.org by "Bradley Wagner (JIRA)" <xa...@xml.apache.org> on 2009/03/26 15:54:02 UTC

[jira] Commented: (XALANJ-2489) Limit the classes available as extensions

    [ https://issues.apache.org/jira/browse/XALANJ-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689503#action_12689503 ] 

Bradley Wagner commented on XALANJ-2489:
----------------------------------------

I'm wondering if it's possible to simply turn off specific extension types such as Java Extensions. I would, for example, like to keep JavaScript Extensions but totally turn off Java extensions.

Also, would love to see how you patched Xalan to use a custom SecurityManager if this is something you got working.

> Limit the classes available as extensions
> -----------------------------------------
>
>                 Key: XALANJ-2489
>                 URL: https://issues.apache.org/jira/browse/XALANJ-2489
>             Project: XalanJ2
>          Issue Type: Improvement
>      Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects.  Anybody can view the issue.) 
>          Components: Xalan-extensions
>         Environment: xalan-java
>            Reporter: Johan Zxcer
>            Priority: Minor
>
> It would be very useful to be able to limit the set of java classes that are available to Xalan for extension functions.  This is important when using Xalan within a larger application with non-secure style-sheet definitions, as a malevolent user could create a style-sheet to access any class within the larger application.  Currently the only ways to use Xalan securely within a larger application is to entirely turn extension functions off, or to sequester Xalan to a separate process/thread with a tightened security policy.
> It appears the best way to do this would be to use the Java Security Framework, as it is already used to determine what classes can be accessed; it is simply not exposed in the API.  Allowing either the SecurityManager or ClassLoader to be specified for a Transformer (or factory), to be used to in place of the global ones, would probably be the best solution.
> Mailing-list thread:
> http://marc.info/?l=xalan-j-users&m=123595553514572&w=2

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org