You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@xalan.apache.org by Ramesh Mandava <Ra...@sun.com> on 2002/11/15 02:10:27 UTC

[PATCH] For allowing xalan to read property files without opening up container permissions

Hi:
  Xalan as it stands right now, throws the following exception when tried to use 
as part of secure container, such as J2EE RI. 
  
  ==
  
             org.apache.xml.utils.WrappedRuntimeException: Could not load 
             output_text.properties (check CLASSPATH), now using just the 
defaults
                 at 
org.apache.xalan.templates.OutputProperties.loadPropertiesFile(OutputProp
             erties.java:219)
                 at 
org.apache.xalan.templates.OutputProperties.getDefaultMethodProperties(Ou
             tputProperties.java:333)
                 at 
org.apache.xalan.templates.OutputProperties.setMethodDefaults(OutputPrope
             rties.java:635)
                 at 
org.apache.xalan.templates.OutputProperties.setProperty(OutputProperties.
             java:419)
                 at 
org.apache.xalan.templates.OutputProperties.setQNameProperty(OutputProper
             ties.java:652)
                 at 
org.apache.xalan.processor.ProcessorOutputElem.setMethod(ProcessorOutputE
             lem.java:155
             
             ==
             
    For avoiding this we need to give File read permission for the jar file.
   
   This is happening because we don't have doPrivileged block in
   
    "org.apache.xalan.templates.OutputProperties.java" 
    
   while trying to read property files. And as xalan is trying to read internal 
property file, forcing users to opening the permission is not a good idea.
   
   I am providing the patched file as an attachment to this email. I am also 
attaching "cvs diff" as "diffs".
   
 Can somebody review the code and check-in the code.
 
 Thanks
 -Ramesh

Re: [PATCH] For allowing xalan to read property files without opening up container permissions

Posted by Tom Amiro <To...@Sun.COM>.

Hi,

I remember running into this problem with the Petstore application 
and getting around it by opening up the permissions. But we,
Santiago and I, discussed changing Xalan so it would use
reasonable defaults if it couldn't read the output properties 
file. For some reason, we never got around to doing anything about 
itt. Ramesh, I'm glad you resurrected this probem and even present a solution.

Anyone on the Toronto team want to check the patch out and 
commit it if it looks good?

Tom


Ramesh Mandava wrote:
> 
> Hi:
>   Xalan as it stands right now, throws the following exception when tried to use
> as part of secure container, such as J2EE RI.
> 
>   ==
> 
>              org.apache.xml.utils.WrappedRuntimeException: Could not load
>              output_text.properties (check CLASSPATH), now using just the
> defaults
>                  at
> org.apache.xalan.templates.OutputProperties.loadPropertiesFile(OutputProp
>              erties.java:219)
>                  at
> org.apache.xalan.templates.OutputProperties.getDefaultMethodProperties(Ou
>              tputProperties.java:333)
>                  at
> org.apache.xalan.templates.OutputProperties.setMethodDefaults(OutputPrope
>              rties.java:635)
>                  at
> org.apache.xalan.templates.OutputProperties.setProperty(OutputProperties.
>              java:419)
>                  at
> org.apache.xalan.templates.OutputProperties.setQNameProperty(OutputProper
>              ties.java:652)
>                  at
> org.apache.xalan.processor.ProcessorOutputElem.setMethod(ProcessorOutputE
>              lem.java:155
> 
>              ==
> 
>     For avoiding this we need to give File read permission for the jar file.
> 
>    This is happening because we don't have doPrivileged block in
> 
>     "org.apache.xalan.templates.OutputProperties.java"
> 
>    while trying to read property files. And as xalan is trying to read internal
> property file, forcing users to opening the permission is not a good idea.
> 
>    I am providing the patched file as an attachment to this email. I am also
> attaching "cvs diff" as "diffs".
> 
>  Can somebody review the code and check-in the code.
> 
>  Thanks
>  -Ramesh
> 
> 
>   --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>                                Name: OutputProperties.java
>    OutputProperties.java       Type: unspecified type (APPLICATION/octet-stream)
>                            Encoding: BASE64
>                         Description: OutputProperties.java
> 
>   --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Index: OutputProperties.java
> ===================================================================
> RCS file: /home/cvspublic/xml-xalan/java/src/org/apache/xalan/templates/OutputProperties.java,v
> retrieving revision 1.22
> diff -r1.22 OutputProperties.java
> 68a69,70
> > import java.security.AccessController;
> > import java.security.PrivilegedAction;
> 192c194
> <   static private Properties loadPropertiesFile(String resourceName, Properties defaults)
> ---
> >   static private Properties loadPropertiesFile(final String resourceName, Properties defaults)
> 207,211c209,228
> <         java.lang.reflect.Method getCCL = Thread.class.getMethod("getContextClassLoader", NO_CLASSES);
> <         if (getCCL != null) {
> <           ClassLoader contextClassLoader = (ClassLoader) getCCL.invoke(Thread.currentThread(), NO_OBJS);
> <           is = contextClassLoader.getResourceAsStream("org/apache/xalan/templates/" + resourceName);
> <         }
> ---
> >       // Using doPrivileged to be able to read property file without opening
> >         // up secured container permissions like J2EE container
> >         is =(InputStream)AccessController.doPrivileged( new PrivilegedAction() {
> >           public Object run() {
> >             try {
> >               java.lang.reflect.Method getCCL = Thread.class.getMethod(
> >                   "getContextClassLoader", NO_CLASSES);
> >               if (getCCL != null) {
> >                 ClassLoader contextClassLoader = (ClassLoader)
> >                     getCCL.invoke(Thread.currentThread(), NO_OBJS);
> >                 return ( contextClassLoader.getResourceAsStream (
> >                     "org/apache/xalan/templates/" + resourceName) );
> >               }
> >             }
> >             catch ( Exception e ) { }
> >
> >             return null;
> >
> >           }
> >         });
> 216c233,238
> <         is = OutputProperties.class.getResourceAsStream(resourceName);
> ---
> >         is = (InputStream)AccessController.doPrivileged( new PrivilegedAction(){
> >         public Object run() {
> >             return OutputProperties.class.getResourceAsStream(resourceName);
> >           }
> >         });
> >

-- 
 Tom Amiro -- SQE Engineer
 WTS - Interoperability and Quality
 voice: 781-442-0589 Fax: 781-442-1437
 eMail: tom.amiro@.sun.com