You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by "Bradley Wagner (JIRA)" <xa...@xml.apache.org> on 2009/03/26 15:54:02 UTC
[jira] Commented: (XALANJ-2489) Limit the classes available as
extensions
[ https://issues.apache.org/jira/browse/XALANJ-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689503#action_12689503 ]
Bradley Wagner commented on XALANJ-2489:
----------------------------------------
I'm wondering if it's possible to simply turn off specific extension types such as Java Extensions. I would, for example, like to keep JavaScript Extensions but totally turn off Java extensions.
Also, would love to see how you patched Xalan to use a custom SecurityManager if this is something you got working.
> Limit the classes available as extensions
> -----------------------------------------
>
> Key: XALANJ-2489
> URL: https://issues.apache.org/jira/browse/XALANJ-2489
> Project: XalanJ2
> Issue Type: Improvement
> Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects. Anybody can view the issue.)
> Components: Xalan-extensions
> Environment: xalan-java
> Reporter: Johan Zxcer
> Priority: Minor
>
> It would be very useful to be able to limit the set of java classes that are available to Xalan for extension functions. This is important when using Xalan within a larger application with non-secure style-sheet definitions, as a malevolent user could create a style-sheet to access any class within the larger application. Currently the only ways to use Xalan securely within a larger application is to entirely turn extension functions off, or to sequester Xalan to a separate process/thread with a tightened security policy.
> It appears the best way to do this would be to use the Java Security Framework, as it is already used to determine what classes can be accessed; it is simply not exposed in the API. Allowing either the SecurityManager or ClassLoader to be specified for a Transformer (or factory), to be used to in place of the global ones, would probably be the best solution.
> Mailing-list thread:
> http://marc.info/?l=xalan-j-users&m=123595553514572&w=2
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org