tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Xerces Parser Security and Path Problems
Date Wed, 14 Nov 2001 18:50:22 GMT
On Wed, 14 Nov 2001, Frank Lawlor wrote:

> Date: Wed, 14 Nov 2001 12:51:37 -0600
> From: Frank Lawlor <>
> Reply-To: Tomcat Users List <>,
> To: "Tomcat (E-mail)" <>
> Subject: Xerces Parser Security and Path Problems
> I encountered  a couple of problems trying to use
> xerces and security in my application.
> BUG 1:
> I have xerces.jar in myapp/WEB-INF/lib.  This works
> fine until I turn on security (-security switch) which
> uses conf/catalina.policy.
> I added a permission for my application to do anything:
>    grant codeBase "file:${catalina.home}/webapps/myapp/-" {
>         permission;
>    };
> This works fine except when I invoke xerces:
>         XMLReader xr = XMLReaderFactory.createXMLReader();
> 	...
>         xr.parse(my_xml_file);
> I get an access violation on the file (which is in myapp).
> If I move xerces.jar to common/lib this error goes away.
> There seems to be a problem related to security when loading
> jars from WEB-INF/lib.  This was reported earlier by Sergey V. Udaltsov
> in the post titled "policy for classes in WEB-INF/lib/my.jar".

It's not clear to me that this is a bug.

The exception goes away because the default catalina.policy grants all
permissions to code loaded from the common/lib directory.  If you want an
individual webapp to access files, you need to grant specific file
permissions to it -- see the examples at the bottom of
"conf/catalina.policy" for hints on how to do this.

Note that this would be required even if you wanted to use file I/O
directly in your servlet (as opposed to indirectly via the parser) -- the
default policy file completely disables file access for classes loaded
from /WEB-INF/classes or /WEB-INF/lib of your webapp.

> BUG 2:
> FURTHER, moving xerces.jar to common/lib seems to introduce
> its own problem related to the handling of DTDs.  A couple of my
> xml files have DTD specs like:
>    <!DOCTYPE links SYSTEM "../Links.dtd">
> I found that the parser computes the path relative to the startup
> directory of catalina, rather than relative to the location of the
> xml file.  It does not do this when it is in WEB-INF/lib.  This is
> clearly unusable since the web app author has no idea where
> the startup dir will be and no way to get the DTDs there.

How relative URLs are interpreted is up to the parser, not to Tomcat.  My
understanding is that they were supposed to be relative to the URL of the
document itself -- but you'd have to ask the Xerces folks what they are

One thing I generally do is to implement an EntityResolver so that I can
redirect these kinds of things in an application-specific way.

> Am I missing something here on how this is supposed to
> operate or are these legitimate bugs?
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.


To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message