Class SecuritySupport and Class.forName( "java.security.AccessController ")

Subjects

•	Home
•	VOTE Move XML Commons to Xerces
•	Commented: (XERCESJ 589) Bug with pattern restriction on long strings
•	: Xerces J 2 8 1 Release on Wednesday, September 13th
•	: Xerces J 2 9 0 Release on Wednesday, November 22nd
•	Commented: (XERCESJ 1066) Restriction+choice+substitutionGroup error
•	Commented: (XERCESJ 1178) Error getting prefix for an attribute with no n
•	Updated: (XERCESJ 1244) XMLSchemaValidator does not contribute element 's
•	Some consideration about the xerces DOM implementation
•	Updated: (XERCESJ 1066) Restriction+choice+substitutionGroup error
•	Commented: (XERCESJ 1227) Poor performance / OutOfMemoryError for sequenc
•	retain exception stack traces
•	Updated: (XERCESJ 1193) NPE or hang when parsing using the "continue afte
•	Future of NekoHTML
•	Commented: (XERCESJ 1203) NPE in XMLDTDProcessor
•	DOM Level 3 APIs for Xalan J and a new Xalan release (2 7 1)
•	: xml commons external 1 3 04 Release on Wednesday, November 22nd
•	Commented: (XERCESJ 1247) Incorrect location information on SAX when usin
•	XInclude exceptions how to mirror Xerces J functionality into Xerces C++?
•	First proposal on SoC project "Add support for the StAX (JSR 173) cursor API
•	: xml commons resolver 1 2 Release on Wednesday, November 22nd
•	Typo in RangeToken java Please check
•	Validator features
•	java lang ClassCastException when adopting Node
•	using the org apache xerces impl xs identity package
•	Updated: (XERCESJ 1257) buffer overflow in UTF8Reader for characters out
•	Problem with ref attributes and schema validation
•	Updated: (XERCESJ 122) XMLSchemaValidator does not contribute element 's d
•	Performance problem under load Xerces with Weblogic 9 x
•	remove ignored memory allocation
•	Commented: (XERCESJ 1177) SAXXMLStreamReader doesn 't always report namesp
•	Commented: (XERCESJ 977) Null pointer exception during DOM parsing
•	Commented: (XERCESJ 1197) Code cleanup for org apache xml serialize
•	Commented: (XERCESJ 1201) Initial contribution for StAX Event API
•	Updated: (XERCESJ 1061) Regex "$ " and "^ " characters treated as special c
•	Commented: (XERCESJ 1199) SAXXMLStreamReader should attempt to register a
•	Commented: (XERCESJ 1061) Regex "$ " and "^ " characters treated as special
•	Updated: (XERCESJ 589) Bug with pattern restriction on long strings
•	StackOverflow
•	xerces Range unnecessarily not garbage collectable if not detached
•	Updated: (XERCESJ 1178) Error getting prefix for an attribute with no nam
•	Bug in xs:redefine
•	Commented: (XERCESJ 1204) Can not set XMLEntityResolver for LSParser
•	Updated: (XERCESJ 1253) Prototype for SoC2007 project "Add support for th
•	Updated: (XERCESJ 1259) Add SteamFilter Function to SoC2007 project "Add
•	Assigned: (XERCESJ 444) SAXException thrown by EntityResolver is reported
•	Google Summer of Code 2007
•	Xerces J and XInclude relative path issue
•	Assigned: (XERCESJ 206) Stack overflow when using a schema validation
•	Commented: (XERCESJ 1215) Restrictions involving two levels of substituti
•	Closed: (XERCESJ 1203) NPE in XMLDTDProcessor
•	non overriding equals methoda
•	Resolved: (XERCESJ 1079) invalid value returned for TOTALDIGITS facet in
•	Xerces AS3 port
•	Updated: (XERCESJ 325) Regular Expression; Pattern "\| " clause order de
•	Updated: (XERCESJ 1196) Javadoc generation fails on Java SE 5 0
•	Closed: (XERCESJ 1202) DTD validation on XIncluded documents when the sch
•	Created: (XERCESJ 1124) Nonspecific schema error message
•	a bug in xerces
•	Updated: (XERCESJ 1201) Initial contribution for StAX Event API
•	Closed: (XERCESJ 1254) Empty uris in targetNamespace attribute not report

Links

Home

Oracle database error code

Class SecuritySupport and Class.forName( "java.security.AccessController ")

Class SecuritySupport and Class.forName( "java.security.AccessController ")

2003-01-14 - By Doyle, Annette

Reply: 1 2

We are using Microsoft's jview for our front end GUI and Sun's JRE 1.3
for our backend (server). We have an auditing factory class that is
used both in our front end and backend. It is compiled under Sun's 1.3
compiler. This auditing class uses the new xercesImpl parser to create a
dom and read configuration information. Now, the GUI ran fine on my
machine and my co-workers. However, when we deployed for integration
testing, it failed. The test integration machine has military secure
software (COE) also on it. What is happening, is that the integration
test machine running jview is loading the class
java.security.AccessController from the class path set by the military
software. So, when the following classes
javax.xml.parsers.SecuritySupport and
org.apache.xerces.util.SecuritySupport execute the following code, they
try to run the SecuritySupport12 class because it finds the class
java.security.AccessController.

static {
SecuritySupport ss = null;
try {
Class c = Class.forName("java.security.AccessController");
// if that worked, we're on 1.2.
/*
// don't reference the class explicitly so it doesn't
// get dragged in accidentally.
c = Class.forName("javax.mail.SecuritySupport12");
Constructor cons = c.getConstructor(new Class[] { });
ss = (SecuritySupport)cons.newInstance(new Object[] { });
*/
/*
* Unfortunately, we can't load the class using reflection
* because the class is package private. And the class has
* to be package private so the APIs aren't exposed to other
* code that could use them to circumvent security. Thus,
* we accept the risk that the direct reference might fail
* on some JDK 1.1 JVMs, even though we would never execute
* this code in such a case. Sigh...
*/
ss = new SecuritySupport12();
} catch (Exception ex) {
// ignore it
} finally {
if (ss == null)
ss = new SecuritySupport();
securitySupport = ss;
}
}

I would like to change this code to get the java.version system property
and check for 1.1 (or 1.0) in java.version string. If found, then the
SecuritySupport class would be the instantiated, otherwise the
SecuritySupport12 class would be instantiated. Is there a reason why
this wouldn't work? Why is the above way used? Also, how do I get
written permission to change this for our implementation?

Thank you,

Annette Doyle

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6249.1">
<TITLE>Class SecuritySupport and Class.forName("java.security
.AccessController")</TITLE>
</HEAD>
<BODY>


We are using Microsoft's jview for our front end
GUI and Sun's JRE 1.3 for our backend (server).  We have an auditing
factory class that is used both in our front end and backend. It is compiled
under Sun's 1.3 compiler. This auditing class uses the new xercesImpl parser to
create a dom and read configuration information. Now, the GUI ran fine on my
machine and my co-workers. However, when we deployed for integration testing,
it failed. The test integration machine has military secure software (COE) also
on it. What is happening, is that the integration test machine running jview is
loading  the class java.security.AccessController from the class path set
by the military software. So, when the following classes javax.xml.parsers
.SecuritySupport and org.apache.xerces.util.SecuritySupport execute the
following code, they try to run the SecuritySupport12 class because it finds
the class java.security.AccessController.

   static {

         SecuritySupport ss = null;

         try {

          
   Class c = Class.forName("java.security.AccessController")
;

          
   // if that worked, we're on 1.2.

          
   /*

          
   // don't reference the class explicitly so it doesn't

          
   // get dragged in accidentally.

          
   c = Class.forName("javax.mail.SecuritySupport12");

          
   Constructor cons = c.getConstructor(new Class[] { });

          
   ss = (SecuritySupport)cons.newInstance(new Object[] { });

          
   */

          
   /*

          
    * Unfortunately, we can't load the class using reflection

          
    * because the class is package private.  And the class
has

          
    * to be package private so the APIs aren't exposed to other

          
    * code that could use them to circumvent security.  Thus
,

          
    * we accept the risk that the direct reference might fail

          
    * on some JDK 1.1 JVMs, even though we would never execute

          
    * this code in such a case.  Sigh...

          
    */

          
   ss = new SecuritySupport12();

         }
catch (Exception ex) {

          
   // ignore it

         }
finally {

          
   if (ss == null)

              
   ss = new SecuritySupport();

          
   securitySupport = ss;

         }

     }


I would like to change this code to get the java
.version system property and check for 1.1 (or 1.0) in java.version string. If
found, then the SecuritySupport class would be the instantiated, otherwise the
SecuritySupport12 class would be instantiated. Is there a reason why this
wouldn't work? Why is the above way used? Also, how do I get written permission
to change this for our implementation?

Thank you,


Annette Doyle


</BODY>
</HTML>