Class SecuritySupport and Class.forName( "java.security.AccessController ")

Subjects

•	Home
•	VOTE Move XML Commons to Xerces
•	Commented: (XERCESJ 589) Bug with pattern restriction on long strings
•	: Xerces J 2 8 1 Release on Wednesday, September 13th
•	: Xerces J 2 9 0 Release on Wednesday, November 22nd
•	Commented: (XERCESJ 1066) Restriction+choice+substitutionGroup error
•	Commented: (XERCESJ 1178) Error getting prefix for an attribute with no n
•	Updated: (XERCESJ 1244) XMLSchemaValidator does not contribute element 's
•	Some consideration about the xerces DOM implementation
•	Updated: (XERCESJ 1066) Restriction+choice+substitutionGroup error
•	Commented: (XERCESJ 1227) Poor performance / OutOfMemoryError for sequenc
•	retain exception stack traces
•	Updated: (XERCESJ 1193) NPE or hang when parsing using the "continue afte
•	Future of NekoHTML
•	Commented: (XERCESJ 1203) NPE in XMLDTDProcessor
•	DOM Level 3 APIs for Xalan J and a new Xalan release (2 7 1)
•	: xml commons external 1 3 04 Release on Wednesday, November 22nd
•	Commented: (XERCESJ 1247) Incorrect location information on SAX when usin
•	XInclude exceptions how to mirror Xerces J functionality into Xerces C++?
•	First proposal on SoC project "Add support for the StAX (JSR 173) cursor API
•	: xml commons resolver 1 2 Release on Wednesday, November 22nd
•	Typo in RangeToken java Please check
•	Validator features
•	java lang ClassCastException when adopting Node
•	using the org apache xerces impl xs identity package
•	Updated: (XERCESJ 1257) buffer overflow in UTF8Reader for characters out
•	Problem with ref attributes and schema validation
•	Updated: (XERCESJ 122) XMLSchemaValidator does not contribute element 's d
•	Performance problem under load Xerces with Weblogic 9 x
•	remove ignored memory allocation
•	Commented: (XERCESJ 1177) SAXXMLStreamReader doesn 't always report namesp
•	Commented: (XERCESJ 977) Null pointer exception during DOM parsing
•	Commented: (XERCESJ 1197) Code cleanup for org apache xml serialize
•	Commented: (XERCESJ 1201) Initial contribution for StAX Event API
•	Updated: (XERCESJ 1061) Regex "$ " and "^ " characters treated as special c
•	Commented: (XERCESJ 1199) SAXXMLStreamReader should attempt to register a
•	Commented: (XERCESJ 1061) Regex "$ " and "^ " characters treated as special
•	Updated: (XERCESJ 589) Bug with pattern restriction on long strings
•	StackOverflow
•	xerces Range unnecessarily not garbage collectable if not detached
•	Updated: (XERCESJ 1178) Error getting prefix for an attribute with no nam
•	Bug in xs:redefine
•	Commented: (XERCESJ 1204) Can not set XMLEntityResolver for LSParser
•	Updated: (XERCESJ 1253) Prototype for SoC2007 project "Add support for th
•	Updated: (XERCESJ 1259) Add SteamFilter Function to SoC2007 project "Add
•	Assigned: (XERCESJ 444) SAXException thrown by EntityResolver is reported
•	Google Summer of Code 2007
•	Xerces J and XInclude relative path issue
•	Assigned: (XERCESJ 206) Stack overflow when using a schema validation
•	Commented: (XERCESJ 1215) Restrictions involving two levels of substituti
•	Closed: (XERCESJ 1203) NPE in XMLDTDProcessor
•	non overriding equals methoda
•	Resolved: (XERCESJ 1079) invalid value returned for TOTALDIGITS facet in
•	Xerces AS3 port
•	Updated: (XERCESJ 325) Regular Expression; Pattern "\| " clause order de
•	Updated: (XERCESJ 1196) Javadoc generation fails on Java SE 5 0
•	Closed: (XERCESJ 1202) DTD validation on XIncluded documents when the sch
•	Created: (XERCESJ 1124) Nonspecific schema error message
•	a bug in xerces
•	Updated: (XERCESJ 1201) Initial contribution for StAX Event API
•	Closed: (XERCESJ 1254) Empty uris in targetNamespace attribute not report

Links

Home

Oracle database error code

Class SecuritySupport and Class.forName( "java.security.AccessController ")

Class SecuritySupport and Class.forName( "java.security.AccessController ")

2003-01-14 - By neilg@(protected)

Reply: 1 2

Hi Annette,

While your modification should work for your application, it won't work in
general because querying system properties is (potentially) an operation
requiring privilege. The whold point of the SecuritySupport classes is to
determine if the concept of operations requiring privilege exists in the
environment, and to implement appropriate behaviour if it does. You
wouldn't want a test of whether privilege is required itself to require
privilege. :)

You can freely modify the ObjectFactory code (as long as you abide by the
Apache license). To modify the JAXP code, you'll probably want to contact
Sun directly--especially if you plan to distribute the modified code; they
might require you to show that your modified code can still pass the
relevant TCK.

Bottom line: the sooner folks move off of the Java 1.1 platform, the
better for everyone. :)

Cheers,
Neil
Neil Graham
XML Parser Development
IBM Toronto Lab
Phone: 905-413-3519, T/L 969-3519
E-mail: neilg@(protected)

|---------+---------------------------->
| | "Doyle, Annette" |
| | <Annette.Doyle@(protected)|
| | sinfo.com> |
| | |
| | 01/14/2003 10:53 |
| | AM |
| | Please respond to|
| | xerces-j-user |
| | |
|---------+---------------------------->
>----------------------------------------------------------------------------
-----------------------------------------------------------------|
|
|
| To: <xerces-j-dev-subscribe@(protected)>
|
| cc: <xerces-j-user@(protected)>
|
| Subject: Class SecuritySupport and Class.forName("java.security
.AccessController") |
|
|
|
|
>----------------------------------------------------------------------------
-----------------------------------------------------------------|

We are using Microsoft's jview for our front end GUI and Sun's JRE 1.3 for
our backend (server). We have an auditing factory class that is used both
in our front end and backend. It is compiled under Sun's 1.3 compiler. This
auditing class uses the new xercesImpl parser to create a dom and read
configuration information. Now, the GUI ran fine on my machine and my
co-workers. However, when we deployed for integration testing, it failed.
The test integration machine has military secure software (COE) also on it.
What is happening, is that the integration test machine running jview is
loading the class java.security.AccessController from the class path set
by the military software. So, when the following classes
javax.xml.parsers.SecuritySupport and
org.apache.xerces.util.SecuritySupport execute the following code, they try
to run the SecuritySupport12 class because it finds the class
java.security.AccessController.

static {
SecuritySupport ss = null;
try {
Class c = Class.forName("java.security.AccessController");
// if that worked, we're on 1.2.
/*
// don't reference the class explicitly so it doesn't
// get dragged in accidentally.
c = Class.forName("javax.mail.SecuritySupport12");
Constructor cons = c.getConstructor(new Class[] { });
ss = (SecuritySupport)cons.newInstance(new Object[] { });
*/
/*
* Unfortunately, we can't load the class using reflection
* because the class is package private. And the class has
* to be package private so the APIs aren't exposed to other
* code that could use them to circumvent security. Thus,
* we accept the risk that the direct reference might fail
* on some JDK 1.1 JVMs, even though we would never execute
* this code in such a case. Sigh...
*/
ss = new SecuritySupport12();
} catch (Exception ex) {
// ignore it
} finally {
if (ss == null)
ss = new SecuritySupport();
securitySupport = ss;
}
}

I would like to change this code to get the java.version system property
and check for 1.1 (or 1.0) in java.version string. If found, then the
SecuritySupport class would be the instantiated, otherwise the
SecuritySupport12 class would be instantiated. Is there a reason why this
wouldn't work? Why is the above way used? Also, how do I get written
permission to change this for our implementation?

Thank you,

Annette Doyle

---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-user-unsubscribe@(protected)
For additional commands, e-mail: xerces-j-user-help@(protected)